Why the HtmlEncode doesn't encode this char?

Question

This is the code :

Response.Write("asd1 X : " + HttpUtility.HtmlEncode("×"));
Response.Write("asd2 X : " + HttpUtility.HtmlEncode("✖"));

The fist one is :

asd1 X : × // OK, ENCODED AS HTML ENTITIES

the second no, just ✖ :

asd2 X : ✖

which kind of char is that? Also, if I try here the result is :

asd1 X : ×
asd2 X : ✖

What?? Why this differences?

Answer 1

In the MSDN page for HttpUtility.HtmlEncode(string), you will find this comment:

It encodes all character codes from decimal 160 to 255 (both inclusive) to their numerical entity (e.g.  )

× (×) is the same as × / × on my computer, so will get encoded, but since ✖ is ✖ / ✖, it will not be.

You can use the overload of HtmlEncode that takes a TextWriter based on the wanted Encoding.

Answer 2

My best guest is that not all strings has a entity representation. The Heavy multiplication X is just one of the many that don't.

To elaborate Oded's link, HttpUtility.HtmlEncode only encodes characters in ISO 8859-1 (Latin-1). Since the Heavy Multiplication X is out of this range, the function doesn't handle it.

If you try Microsoft.Security.Application.AntiXss.HtmlEncode("✖");, you'll get the HTML entity in ✖.