Dec 19, 2007 11:40 PM|abombss|LINK
The more I read the thread and think about it, the more it makes sense not to change the default behavior.
The developer does have to take some culpability in security as well
My feeling is, keep as is and don't encode any input. If Microsoft wanted to include an extension for encoding with <%!= thats cool, otherwise I am sure MVC Contrib could pick up something like that too. This is something that should be consistent with
other frameworks, not innovative or creative... changing this will just makes things confusing.
Another good tool would be an httpmodule that could filter output and throw warnings for potential xss attacks when in a test environment. Not perfect but certainly better than nothing.
P.S. If you are thinking about working some magic with the Asp.Net compiler
think about this too.