ASP.NET applications (especially those using ASP.NET MVC)
often rely on using <%= %> code-nugget expressions to render
output. Developers today often use the Server.HtmlEncode() or HttpUtility.Encode()
helper methods within these expressions to HTML encode the output before it is
rendered. This can be done using code like below:
While this works fine, there are two downsides of it:
It is a little verbose
Developers often forget to call the Server.HtmlEncode method
– and there is no easy way to verify its usage across an app