ASP.NET MVC 2 - AntiXSS vs Built In MVC Encoding

Question

Now that MVC has introduced HTML Encoding via

<%: blah %> 

is there still value in using

<%= AntiXSS.HTMLEncode(blah) %> 

instead?

For Example: My application will take all content in (including JavaScript) and store it in it's raw state in the database. I was planning on simply outputting everything using something like <%: model.Name %> and relying on the MVC "stuff" to do the encoding for me.

Is that method secure enough to rely on for AntiXSS, or do I need to explicitly use the AntiXSS Library? If I need to use the AntiXSS Library, can I ask why wouldn't that kind of thing be already built into MVC?

Answer 1

Per Phil Haack's article: Using AntiXss as the Default Encoder for ASP.NET in ASP.NET 4 (including MVC), you can override the default HTML encoder to use the AntiXSS encoder.

Reasons against "AntiXSS.HTMLEncode" 1) The shorthand is easier to code 2) Calling the helper method (<%:%>/@:/HttpUtility.HtmlEncode/Server.HtmlEncode/etc.) and injecting the encoder implementation makes your code more maintainable vs. the specific AntiXSS implementation.

However, I believe "AntiXSS.HTMLEncode" is the only option for .NET versions < 4

Answer 2

<%: only encodes with HTML encoding. If you're outputting to HTML attributes, Javascript or any space where the HTML body rules apply then you will still need to select the encoding method manually.

Answer 3

I don't think there's any real difference, but if you're really that concerned, you can use the AntiXss library as the default encoder for asp.net, as described in this article.