In a project at work, I've recently been assigned to encode the user input using the AntiXSS library (v. 4.2.1), even though it's as good as abandoned and doesn't even have documentation for the latest version. I looked around a bit and found that I could use something like this for the input:
<input type="text" value='<%= Microsoft.Security.Application.AntiXss.HtmlEncode() %>' />
Unfortunately, the project I'm working on uses the Knockout library, so if I have:
<input type="text" data-bind="value: Something" />
Would something like this be possible?
<input type="text" data-bind="value: <%= Microsoft.Security.Application.AntiXss.HtmlEncode(Something) %>" />
Edit: forgot to add that the inputs are handled in the .ascx pages, not .aspx
Knockout runs on client side (Javascript) and AntiXSS library on server side. You can't mix this two things. You have to encode your properties in codebehind of your ascx pages after they are sent to the server.