I'm working on user-given URLs to be used a links with A tags and as embedded images as IMG tags and I'm wondering about the security, a bit like with the question Spring - MVC - Sanitize URL before redisplaying to the user but I'm working on ASP.NET MVC.
Following XSS cheat sheet, there are lots of XSS techniques to be aware of. The automatic form checking of ASP.NET MVC seems to catch at least the basic cases but is it enough?
For output or the URLs, is plain HttpUtility.HtmlEncode enough, should I consider using WPL or is there some other solution that I didn't happen to think of?
br, Touko
