ASP.NET MVC 2 - AntiXSS vs Built In MVC Encoding

Question

Now that MVC has introduced HTML Encoding via

<%: blah %> 

is there still value in using

<%= AntiXSS.HTMLEncode(blah) %> 

instead?

For Example: My application will take all content in (including JavaScript) and store it in it's raw state in the database. I was planning on simply outputting everything using something like <%: model.Name %> and relying on the MVC "stuff" to do the encoding for me.

Is that method secure enough to rely on for AntiXSS, or do I need to explicitly use the AntiXSS Library? If I need to use the AntiXSS Library, can I ask why wouldn't that kind of thing be already built into MVC?

Answer 1

I don't think there's any real difference, but if you're really that concerned, you can use the AntiXss library as the default encoder for asp.net, as described in this article.

Answer 2

<%: only encodes with HTML encoding. If you're outputting to HTML attributes, Javascript or any space where the HTML body rules apply then you will still need to select the encoding method manually.