Microsoft announces the ASP.NET Ajax 1.0 Release

Microsoft has announced the final 1.0 release of ASP.NET Ajax (a.k.a. Atlas).

ASP.NET AJAX Control Toolkit
In addition to the fully-supported ASP.NET AJAX 1.0 release, you can use the more than 30 free ASP.NET AJAX enabled controls available within the ASP.NET AJAX Control Toolkit

HttpUtility.HtmlEncode and Server. HtmlEncode do not prevent Cross Site Scripting

Do not use: HttpUtility.HtmlEncode or Server.HtmlEncode because this functions only encodes <>"& characters. This is not sufficient to protect against all possible attacks.
For instance, the following ASP.NET code would be vulnerable:

<br /><img id='img<%=Server.HtmlEncode(Request.QueryString["userId"])%>' src='/image.gif' /><br /><br />An attacker could inject client-side script here by setting userId to:' onload=alert('xss') alt='<br />

In order to be fully protected use the method: HtmlEncode of Microsoft Anti-Cross Site Scripting Library.

Tutorial that shows you how to use the Microsoft Anti-Cross Site Scripting Library:
http://msdn2.microsoft.com/en-us/library/aa973813.aspx

Forum:
http://forums.asp.net/1107/ShowForum.aspx.