What is the best way to escape HTML-specific characters in a string (PowerShell)?
There's a class that will do this in System.Web.
Add-Type -AssemblyName System.Web
[System.Web.HttpUtility]::HtmlEncode('something <somthing else>')
You can even go the other way:
[System.Web.HttpUtility]::HtmlDecode('something <something else>')
Powershell escaping special characters in HTML string: Ampersand
Invoke-Expression
is considered harmful. Do not use it. You don't need it anyway. Just run your commandline as-is (minus the quotes around the variable $encodedBody
of course).
$theBody = Get-Content '.\welcomeMessageP1.htm'
$encodedBody = [Net.WebUtility]::HtmlEncode($theBody)
.\sendmail.ps1 –subject 'test email' –body $encodedBody -recipient 'someuser@mydomain.com'
How to escape special characters in PowerShell?
You're using Invoke-Expression
to call an external program:
There's no reason to do that, and
Invoke-Expression
should generally be avoided: it causes quoting headaches (as in your case), but, more importantly, it can be a security risk and there are typically better solutions.- As an aside: Unfortunately, even with direct invocation there can be quoting challenges around empty-string arguments and arguments with embedded
"
chars. - see footnote [1] and this answer.
- As an aside: Unfortunately, even with direct invocation there can be quoting challenges around empty-string arguments and arguments with embedded
If you instead invoke the external program directly - as any shell, including PowerShell is designed to do - your problem will likely go away:[1]
& <path_to_exe> -install $user $password
Note: &
, PowerShell's call operator, is only needed if your executable's path is quoted (e.g, "C:\Program Files\foo.exe"
) and/or is specified via a variable reference (e.g., $HOME\foo.exe
); otherwise, you can invoke the executable as-is (e.g., to invoke cmd.exe
, use something like cmd /c 'echo hi'
).
Separately, if you do ever find yourself needing to escape any of the characters in a set of characters, use -replace
with a character class, [...]
:
Note: This is not necessary for passing arguments, neither to external programs, as shown above, nor to PowerShell commands; however, due to PowerShell's broken handling of "
characters embedded in argument values passed to external programs, you may have to escape "
characters (only), as \"
[1].
PS> 'a*b\c~d;e(f%g?h.i:j@k/l' -replace '[*\\~;(%?.:@/]', '`$&'
a`*b`\c`~d`;e`(f`%g`?h`.i`:j`@k`/l # all chars. inside [...] were `-escaped
Note: Since \
has special meaning even inside a character class, it had to be escaped as \\
- all other chars. are used as-is.
For more information about the -replace
operator, see this answer.
[1] There is one character that still causes problems: embedded "
. For historical reasons, PowerShell does not properly pass embedded "
correctly to external programs, and annoyingly requires manual \
-escaping - see this GitHub issue for details.
Applied to your solution:& <path_to_exe> -install $user ($password -replace '"', '\"'
)
Powershell, escaping specific character in string variable not present in regex escape method
I learned that I can use
[Regex]::Escape()
to escape all the commonly escaped characters in string variables
And now you'll learn that that isn't true at all :)
[regex]::Escape()
only escapes characters that would otherwise risk being interpreted as escape sequences as defined by .NET's regular expression grammar - it's designed for, and only guaranteed to work in, that context.
For URI parameters, you'll want to use [uri]::EscapeDataString()
:
Invoke-RestMethod -Uri ("$MyURL" + [uri]::EscapeDataString("?path=$MyPath")) ...
powershell script replace special character like à by agrave;
This good answer to the question What is the best way to escape HTML-specific characters in a string presents a .net
method to accomplish this and also to reverse it
Add-Type -AssemblyName System.Web
[System.Web.HttpUtility]::HtmlEncode('something <somthing else>')
[System.Web.HttpUtility]::HtmlDecode('something <something else>')
Sample output
something <somthing else>
something <something else>
Putting your csv text in a here string
$Text = @"
à à =line 1 in csv
â â = line 2 in csv
é é
è è
ê ê
î î
ï ï
œ œ
ù ù
û û
ç ç
"@
Add-Type -AssemblyName System.Web
[System.Web.HttpUtility]::HtmlDecode($Text)
has this output:
à à =line 1 in csv
â â = line 2 in csv
é é
è è
ê ê
î î
ï ï
œ œ
ù ù
û û
ç ç
So there is no need to do every posssible replacement in a loop.
Escape an entire string variable which MAY contain characters that need escaping
Use .net library:
[System.Web.HttpUtility]::HtmlEncode()
and ::HtmlDecode
to read encoded strings.
Edit:
I can see that you pasted your script. And there's an error.
The method HtmlEncode() return System.String, so change this:
[System.Web.HttpUtility]::HtmlEncode($xpassword)
To this:
$xpassword=[System.Web.HttpUtility]::HtmlEncode($xpassword)
Otherwise your script will only print the encoded string, and $xpassword stays the same.
How to escape @ within a string in PowerShell?
Invoke-Expression
(iex
) should generally be avoided; definitely don't use it to invoke an external program or PowerShell script.
Therefore:
- invoke
curl
directly - and quote PowerShell metacharacters such as
@
(see this answer for the full list) - either individually, with`
(e.g.,`@
), or by enclosing the entire argument in quotes ('...'
or"..."
, as appropriate).
curl -d `@request.txt -o testoutput.xml -X "POST" -H @header.txt -u "username:password" "URL"
As for what you tried:
The primary concern about Invoke-Expression
use is one of security: unwanted execution of (additional) commands potentially injected into the string passed to it.
In terms of functionality, Invoke-Expression
is not only not needed for regular calls to external programs, it can create quoting headaches.
However, given that you're passing a '...'
string to Invoke-Expression
, quoting the @
as `@
would have worked, as shown in this simple example:
# OK, but generally do NOT do this.
Invoke-Expression 'Write-Output `@'
Had you used a "..."
string, the `
would have been "eaten" by the up-front parsing of such an expandable string, based on the escaping rules explained in the conceptual about_Quoting_Rules help topic:
# BREAKS, because the ` is stripped before Invoke-Expression sees it.
Invoke-Expression "Write-Output `@"
Replacing a string in file containing special characters
Simple example using convertfrom-json:
cat file.json
{
"id": "Save as PDF"
}
$a = get-content file.json | convertfrom-json
$a
id
--
Save as JPG
$a.id = 'Save as PDF'
$a | convertto-json
{
"id": "Save as PDF"
}
$a | convertto-json | set-content file.json
cat file.json
{
"id": "Save as PDF"
}
Related Topics
What Happens If The Action Field in a <Form> Has Parameters
Draw Triangle in Corner of Div
How to Use Access-Control-Allow-Origin? Does It Just Go in Between The HTML Head Tags
Semantically, Which Is More Correct: a in H2, or H2 in A
Ticks for Type="Range" HTML Input
Scrollbar Without Fixed Height/Dynamic Height with Scrollbar
How to Remove The Border Around an Image Without a Source
Set CSS Border to End in a 90 Instead of a 45 Degree Angle
Combining Two or More Canvas Elements with Some Sort of Blending
Why Does Width and Height of a Flex Item Affect How a Flex Item Is Rendered
How to Wrap My Markdown in an HTML Div
Button Image as Form Input Submit Button
Wrapping Text Around an Image with Indentation and Justify
Html/Css: Empty Page + Only Header Page When Printing Table
What's The Point of Having Hidden Input in HTML? What Are Common Uses for This