I'm not clear on how to use the AntiXSS library in my .Net WebAPI 2 project.
I have installed the AntiXSS NuGet package (which gives me v4.3), and have set the encoderType property of httpRuntime in web.config.
Which class should I now use to take advantage of AntiXSS? Does it override the behaviour of System.Web.HttpUtility?
If using the AntiXSS NuGet package, the correct use is to use Microsoft.Security.Application.Encoder.
According to bdorrans of the MS Web Protection Library (AntiXSS) project, you can indeed use HttpUtility once encoderType is set.
However, it shouldn't normally be a concern to encode output from an API. My scenario is that I'm serving a Single Page Application, and was worried I was injecting unsafe values in to the page via my model. But unless injecting values via .html() or .eval(), any malicious values will not be executed on the client.