---
title: Escape Data By Output Context
impact: MEDIUM
impactDescription: ensures correct encoding for each output context
tags: xss, escaping, context, encoding, security, csharp
---

## Escape Data By Output Context

Different output contexts (HTML, JavaScript, URL, Header) require different encoding methods.

**Incorrect (wrong context encoding):**

```csharp
// Razor View - Script Context
<script>
    // XSS: If userInput contains quotes, it breaks the string
    var userData = "@Model.UserInput"; 
</script>

// Header Injection
Response.Headers.Add("X-Custom", userInput);
```

**Correct (context-appropriate encoding):**

```csharp
using System.Text.Encodings.Web;

// JavaScript Context in Razor
<script>
    var userData = @Json.Serialize(Model.UserInput); // Safe JSON encoding
</script>

// Explicit JS Encoder
var safeJs = JavaScriptEncoder.Default.Encode(userInput);

// URL Context
var safeUrl = UrlEncoder.Default.Encode(userInput);
// or
var safeUrl = Uri.EscapeDataString(userInput);

// Header - Strip CRLF
if (!userInput.Contains('\r') && !userInput.Contains('\n'))
{
    Response.Headers.Add("X-Custom", userInput);
}
```

**Tools:** Roslyn Analyzers, SonarQube