New Syntax for HTML Encoding Output in ASP.NET 4 and ASP.NET MVC 2

This post covers a small, but very useful, new syntax feature being introduced with ASP.NET 4 – which is the ability to automatically HTML encode output within code nuggets. This helps protect your applications and sites against cross-site script injection (XSS) and HTML injection attacks, and enables you to do so using a nice concise […]

This post covers a small, but very useful, new syntax feature being introduced with ASP.NET 4 – which is the ability to automatically HTML encode output within code nuggets. This helps protect your applications and sites against cross-site script injection (XSS) and HTML injection attacks, and enables you to do so using a nice concise syntax. XSS and HTML encoding attacks're two of most common security issues that plague web-sites and apps. They occur when hackers find a way to inject client-side script or HTML markup into web-pages that're then viewed by other visitors to a site. This can be used to both vandalize a site, as well as enable hackers to run client-script code that steals cookie data and/or exploits a user’s identity on a site. One way to help mitigate against cross-site scripting attacks's to make sure that rendered output's HTML encoded within a page. This helps ensures that any content that might've been input/modified by an end-user cannot be output back onto a page containing tags like <script> or <img> elements[…]

Full Article: New <%: %>Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)