I have been experimenting with finding quick fixes on an existing site with Xss and using the browser file in ASP.NET to get a system wide Anti XSS implementation without have to go through each bit of code.

By no means is this a perfect solution you should go through all of the code that you are working on but sometimes you need to get up running defence.

Also this technique I am experimenting would be potentially useful for starting off with a new site with, a set of basic controls that have Microsoft Anti Scripting library by standard applied to.

Links to Microsoft Anti Scripting Library.

http://www.microsoft.com/downloads/details.aspx?familyid=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

Example:
http://msdn.microsoft.com/en-us/library/aa973813.aspx

This is the code I am tinkering with:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using Microsoft.Security.Application;
using System.Web.UI.WebControls;

namespace UnwindSoftwareLtd.Web.StandardAxss
{
public class LabelControl : System.Web.UI.WebControls.Adapters.WebControlAdapter
{

protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
((Label)base.Control).Text = AntiXss.HtmlEncode(((Label)base.Control).Text);
base.Render(writer);
}
}
}

Ideally though I would like Anti Scripting Lib to be applied to all MS controls, it would be switched on by default. I accept though there applications that need to use for example Label control to output Java Script, but it would be great if you could use switch to say don't use the Anti Scripting library or I want to output Javascript format for that.

James