HTML Encoding in ASP .NET 2.0 Best Practices

[Untitled]

I currently have a web application with hundreds of pages and controls.
There currently is no HTML Encoding done anywhere. Data to the
application come from all different places such as UI, WebServices,
Remoting and listeners that log data. All this data needs to be shown
to the user at some point and all of it can include some sort of HTML.

How in the world can I make sure that this informations is displayed
properly without allowing the HTML in the Data to mess up the HTML in
the page. Of course i have to HTML Encode the information but how do i
do that?

I have tons of pages! Do i really have to go to every possible page,
looking for every possible piece of output information and
Server.HtmlEncode it? That has to be the most painful thought i could
possibly think of

Maybe there is a desing principle i'm missing. Maybe if i had coded my
pages in a certain technique, all the information would have to through
certain controls, or through a certain mechanism that makes sure what
needs to be encoded is encoded and what needs to be left unencoded
remains unencoded.

Any help?

Thanks,

Mark

 

[Bruce Barker]

well best practice would have been to think about this at the design of the
site.

1) which data fields are html that should be displayed as html and are
certified safe.
2) which data fields have html which should be scrubbed, remove scripting,
check for dangling tokens (say a <b> with no </b>), imbedded forms, etc.
3)which data is just raw data and should be displayed as the characts type
(input <hi>, should be displayed as <hi>).

all data should handling should default to #3. this means no response write
without encoding, no InnerHtml without validation. most controls will do the
correct behavior if you use the Text value.

-- bruce (sqlwork.com)