Spoiled by Ruby on Rails (3), I expect all my HTML output to be automatically encoded.
I asked this question about script exploits a little earlier, and now I am wondering if there are any settings, plugin or extension for ASP.NET that automatically calls all HTML should be HtmlEncode 'ed or I have to be very careful and guarantee what on your own?
HtmlEncode
Various ASP.NET controls automatically encode HTML using HtmlEncode (and some of them encode URLs using UrlEncode), but are not universal. Here is a list of controls and what encoding (if any) they are performed automatically. I do not know if it is updated for .NET 4.0 or not:
What ASP.NET controls are automatically encoded? (this link will ask you to save the document)
This is the blog post about the above document:
http://blogs.msdn.com/b/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx
It was originally published in September 2008, so it probably has a value of 2.0, but not necessarily 4.0. Still, a useful resource, although IMO.
You should also look at the Microsoft Anti-Cross Site 3.1 Scripting Library .
As stated in balexandre, it looks like the Anit-XSS library is now part of the open source Web Protection library:
Microsoft Web Protection Library
In addition, OWASP is a good resource for security information, and they have an Enterprise Security API (ESAPI) project that is available (to varying degrees) in different programming languages. I believe .NET is not complete yet.
OWASP Enterprise Security API
If you use ASP.NET 4.0 with WebForms, then using the code nugget <%: %> HtmlEncode will be automatically output. If you use the Razor engine, then by default all data is HtmlEncoded.
<%: %>
By default, ASP.Net will not accept callbacks where the Inputcontrol contains html elements. This behavior is set at the page level using the ValidateRequest property.
If you want to accept postbacks containing html, you need to set ValidateRequest to false and HtmlEncode yourself on the server before continuing