With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax.
My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?
A Microsoft security person once told me to never just use HTML Encode as it doesn't protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I confidently use <%: %> knowing it's going to protect my app from XSS like people are saying?