ASP .NET: Safely Escape Data from your Database to Display in HTML but Still Keep Line Breaks


In this short article I will show a simple example of how to secure data for presentation but still keep select formatting such as line breaks. For more .NET tips feel free to browse the categories of my site at:

If you are presenting data from your database on a Web page, you’ll first need to escape special characters so that they don’t break your page. There are a number of ways to do this depending on if you are programmatically generating the data or if you are directly outputting the result of a SQLDataSource onto your page using an Eval. On top of this, you’ll likely also want to keep line breaks instead of escaping those too.

In this case, here is how you would directly output safely formatted database content onto a <div element on your HTML page.

A Note About Using the HTML Pre Element Instead of Div

In this example we programmatically format the line breaks to work with our HTML Div element. Depending on your situation a better alternative is possibly to use the Pre element. If you want to have your HTML display user-entered tabbing, spacing, and line breaks, without specifically encoding these in code, you should take a look at the HTML <pre element (here is a good explanation of how the HTML pre works).

Code in VB.NET:

<div id="ShowSomeText" title="Output Some DB Text"></div>
<div>        <%# WebUtility.HtmlEncode(CStr(Eva<wbr />l("Notes"))).Replace(ControlCh<wbr />ars.CrLf, "<br>")%></div>

Code in C#:

<div id="ShowSomeText" title="Output Some DB Text">
<div>        <%# WebUtility.HtmlEncode(Convert.ToString(Eval("Notes"))).Replace(ControlChars.CrLf, "<br>") %></div>

In the example script above, we:

  1. First cast the database content from the SQLDataSource to a String using the VB CStr(method (or the Convert.ToString( method in C#) around the Eval(.
  2. Then we use the HTMLEncode method provided by the .NET WebUltility library. This is the main method for securing the database content to make sure special characters in it don’t break the HTML of your page.
  3. Now that your content is safely encoded, we want to keep showing the line breaks that users have entered. If we don’t, then the content will just show up as a single block of text. To convert the line breaks we can do a simple Replace function to change line breaks to HTML <br> tags.


I hope you have found this information useful. Naturally, you can use almost the exact same code if you are processing the  database data programmatically.

Please feel free to leave comments or suggestions in the comments section below.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s