In an Asp.net Mvc application all string output is unescaped by default either you remember to escape everything with HTTPUtility or you open yourself up to XSS attacks.
Now I'm a forgetful guy so I'm looking for a solution that helps me "not forget" to escape all my strings for me.
Can anybody share any techniques they've used make escaping all Asp.net MVC output easier?
I think you'll find that a lot of things aren't "built-in" to MVC, because that's sorta one of the core values of it: it's flexible enough to give you a lot of control, and therefore it expects you to do some things yourself.
However, check out MVCContrib, specifically FluentHtml; I believe it does encoding for you by default.
jfar, what you want is absolute possible, see this excellent blog post:
http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
Steve Sanderson explains step-by-step how to change "<%=....>" behavior, overriding GenerateCodeFromStatement() method from CSharpCodeProvider class, that is a cool thing. cleans up a lot of HttpUtility.HtmlEncode calls and works pretty well with asp.net mvc.