Now that MVC has introduced HTML Encoding via <%: blah %> is there still

Question

0

Asked: May 16, 20262026-05-16T02:14:36+00:00 2026-05-16T02:14:36+00:00

Now that MVC has introduced HTML Encoding via <%: blah %> is there still

0

Now that MVC has introduced HTML Encoding via

<%: blah %>

is there still value in using

<%= AntiXSS.HTMLEncode(blah) %>

instead?

For Example: My application will take all content in (including JavaScript) and store it in it’s raw state in the database. I was planning on simply outputting everything using something like <%: model.Name %> and relying on the MVC “stuff” to do the encoding for me.

Is that method secure enough to rely on for AntiXSS, or do I need to explicitly use the AntiXSS Library? If I need to use the AntiXSS Library, can I ask why wouldn’t that kind of thing be already built into MVC?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T02:14:37+00:00

Editorial Team

2026-05-16T02:14:37+00:00Added an answer on May 16, 2026 at 2:14 am

I don’t think there’s any real difference, but if you’re really that concerned, you can use the AntiXss library as the default encoder for asp.net, as described in this article.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Now that MVC has introduced HTML Encoding via <%: blah %> is there still

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply