How to Escape HTML-Specific Characters in a String (Powershell)

  • Home
  • Languages
  • HTML
  • How to Escape HTML-Specific Characters in a String (Powershell)

What is the best way to escape HTML-specific characters in a string (PowerShell)?

There's a class that will do this in System.Web.

Add-Type -AssemblyName System.Web
[System.Web.HttpUtility]::HtmlEncode('something <somthing else>')

You can even go the other way:

[System.Web.HttpUtility]::HtmlDecode('something <something else>')

Powershell escaping special characters in HTML string: Ampersand

Invoke-Expression is considered harmful. Do not use it. You don't need it anyway. Just run your commandline as-is (minus the quotes around the variable $encodedBody of course).

$theBody = Get-Content '.\welcomeMessageP1.htm'
$encodedBody = [Net.WebUtility]::HtmlEncode($theBody)

.\sendmail.ps1 –subject 'test email' –body $encodedBody -recipient 'someuser@mydomain.com'

How to escape special characters in PowerShell?

You're using Invoke-Expression to call an external program:

  • There's no reason to do that, and Invoke-Expression should generally be avoided: it causes quoting headaches (as in your case), but, more importantly, it can be a security risk and there are typically better solutions.

    • As an aside: Unfortunately, even with direct invocation there can be quoting challenges around empty-string arguments and arguments with embedded " chars. - see footnote [1] and this answer.

  • If you instead invoke the external program directly - as any shell, including PowerShell is designed to do - your problem will likely go away:[1]

& <path_to_exe> -install $user $password

Note: &, PowerShell's call operator, is only needed if your executable's path is quoted (e.g, "C:\Program Files\foo.exe") and/or is specified via a variable reference (e.g., $HOME\foo.exe); otherwise, you can invoke the executable as-is (e.g., to invoke cmd.exe, use something like
cmd /c 'echo hi').

Separately, if you do ever find yourself needing to escape any of the characters in a set of characters, use -replace with a character class, [...]:

Note: This is not necessary for passing arguments, neither to external programs, as shown above, nor to PowerShell commands; however, due to PowerShell's broken handling of " characters embedded in argument values passed to external programs, you may have to escape " characters (only), as \"[1].

PS> 'a*b\c~d;e(f%g?h.i:j@k/l' -replace '[*\\~;(%?.:@/]', '`$&'
a`*b`\c`~d`;e`(f`%g`?h`.i`:j`@k`/l  # all chars. inside [...] were `-escaped

Note: Since \ has special meaning even inside a character class, it had to be escaped as \\ - all other chars. are used as-is.

For more information about the -replace operator, see this answer.

[1] There is one character that still causes problems: embedded ". For historical reasons, PowerShell does not properly pass embedded " correctly to external programs, and annoyingly requires manual \-escaping - see this GitHub issue for details.
Applied to your solution:& <path_to_exe> -install $user ($password -replace '"', '\"')

Powershell, escaping specific character in string variable not present in regex escape method

I learned that I can use [Regex]::Escape() to escape all the commonly escaped characters in string variables

And now you'll learn that that isn't true at all :)

[regex]::Escape() only escapes characters that would otherwise risk being interpreted as escape sequences as defined by .NET's regular expression grammar - it's designed for, and only guaranteed to work in, that context.

For URI parameters, you'll want to use [uri]::EscapeDataString():

Invoke-RestMethod -Uri ("$MyURL" + [uri]::EscapeDataString("?path=$MyPath")) ...

powershell script replace special character like à by agrave;

This good answer to the question What is the best way to escape HTML-specific characters in a string presents a .net method to accomplish this and also to reverse it

Add-Type -AssemblyName System.Web
[System.Web.HttpUtility]::HtmlEncode('something <somthing else>')
[System.Web.HttpUtility]::HtmlDecode('something <something else>')

Sample output

something <somthing else>
something <something else>

Putting your csv text in a here string

$Text = @"
à    à =line 1 in csv
â â     = line 2 in csv
é    é 
è    è 
ê ê
î î
ï  ï
œ œ
ù    ù
û û
ç    ç
"@

Add-Type -AssemblyName System.Web
[System.Web.HttpUtility]::HtmlDecode($Text)

has this output:

à    à =line 1 in csv
â â     = line 2 in csv
é    é
è    è
ê ê
î î
ï  ï
œ œ
ù    ù
û û
ç    ç

So there is no need to do every posssible replacement in a loop.

Escape an entire string variable which MAY contain characters that need escaping

Use .net library: 

[System.Web.HttpUtility]::HtmlEncode()

and ::HtmlDecode to read encoded strings.

Edit:
I can see that you pasted your script. And there's an error.
The method HtmlEncode() return System.String, so change this:

[System.Web.HttpUtility]::HtmlEncode($xpassword)

To this:

$xpassword=[System.Web.HttpUtility]::HtmlEncode($xpassword)

Otherwise your script will only print the encoded string, and $xpassword stays the same.

How to escape @ within a string in PowerShell?

Invoke-Expression (iex) should generally be avoided; definitely don't use it to invoke an external program or PowerShell script.

Therefore:

  • invoke curl directly
  • and quote PowerShell metacharacters such as @ (see this answer for the full list) - either individually, with ` (e.g., `@), or by enclosing the entire argument in quotes ('...' or "...", as appropriate).
curl -d `@request.txt -o testoutput.xml -X "POST" -H @header.txt -u "username:password" "URL"

As for what you tried:

The primary concern about Invoke-Expression use is one of security: unwanted execution of (additional) commands potentially injected into the string passed to it.

In terms of functionality, Invoke-Expression is not only not needed for regular calls to external programs, it can create quoting headaches.

However, given that you're passing a '...' string to Invoke-Expression, quoting the @ as `@ would have worked, as shown in this simple example:

# OK, but generally do NOT do this.
Invoke-Expression 'Write-Output `@'

Had you used a "..." string, the ` would have been "eaten" by the up-front parsing of such an expandable string, based on the escaping rules explained in the conceptual about_Quoting_Rules help topic:

# BREAKS, because the ` is stripped before Invoke-Expression sees it.
Invoke-Expression "Write-Output `@"

Replacing a string in file containing special characters

Simple example using convertfrom-json:

cat file.json
{
    "id":  "Save as PDF"
}

$a = get-content file.json | convertfrom-json

$a

id
--
Save as JPG

$a.id = 'Save as PDF'
$a | convertto-json
{
    "id":  "Save as PDF"
}

$a | convertto-json | set-content file.json
cat file.json
{
    "id":  "Save as PDF"
}

Related Topics

What Happens If The Action Field in a <Form> Has Parameters

Draw Triangle in Corner of Div

How to Use Access-Control-Allow-Origin? Does It Just Go in Between The HTML Head Tags

Semantically, Which Is More Correct: a in H2, or H2 in A

Ticks for Type="Range" HTML Input

Scrollbar Without Fixed Height/Dynamic Height with Scrollbar

How to Remove The Border Around an Image Without a Source

Set CSS Border to End in a 90 Instead of a 45 Degree Angle

Combining Two or More Canvas Elements with Some Sort of Blending

Why Does Width and Height of a Flex Item Affect How a Flex Item Is Rendered

How to Wrap My Markdown in an HTML Div

Button Image as Form Input Submit Button

Wrapping Text Around an Image with Indentation and Justify

Html/Css: Empty Page + Only Header Page When Printing Table

CSS Column Breaks

What's The Point of Having Hidden Input in HTML? What Are Common Uses for This

HTML5: Iframe No Scrolling

HTMLagilitypack Drops Option End Tags


Leave a reply



Submit