Since version 4, ASP.NET offers an extensible mechanism for encoding the output. This is the content that will be returned to the browser. I already refered it in Providers.
The actual implementation to use can be configured by code or XML configuration (the Web.config file).
The default implementation is always available in the read only property HttpEncoder.Default.
If you prefer to change the Web.config file, you need to set the encoderType attribute of the httpRuntime section:
It is a nice addition, especially together with the validation provider model introduced with ASP.NET 4, which will be the topic of my next post on ASP.NET Web Forms extensibility.