Microsoft just released a new Anti-XSS tool that works with .NET Framework 1.0, 1.1 and 2.0. Anytime you echo user input back to the Web Page you are susceptible either persistent or non-persistent cross site scripting attacks.

So what was wrong with using System.Web.HttpUtility.HtmlEncode? Check out my blog entry for more details:

http://blogs.msdn.com/dansellers/archive/2006/02/16/533846.aspx