Will HTML Encoding prevent all kinds of XSS attacks?
No. Putting aside the subject of allowing some tags (not really the point of the question), HtmlEncode simply does NOT cover all XSS attacks. For instance, consider server-generated client-side javascript – the server dynamically outputs htmlencoded values directly into the client-side javascript, htmlencode will not stop injected script from executing. Next, consider the following pseudocode: … Read more