Server.HtmlEncode vs HttpUtility.HtmlEncode

Server.HtmlEncode is equivalent toSystem.Web.HttpContext.Current.Server.HtmlEncode. The Server Object is an instance of the System.Web.HttpServerUtility class and it is readily accessible through any .aspx page since they inherit from the Page object which in turn has a Server Object instance.

The HttpUtility.HtmlEncode function lives under System.Web.HttpUtility. This class is basically a static version of the Server class which means that you could call the HtmlEncodefunction from a static function or call from another class that does not have an instance of theHttpServerUtility class.

There is a third HtmlEncode function located in the Microsoft’s AntiCross-Site Scripting Library. In contrast with the Server.HtmlEncode and HttpUtility.HtmlEncode functions, the later function takes a more aggressive approach by using a white-list filtering instead of a black-list,hence more PCI standards-compliant, and more secure.

HttpServerUtility.HtmlEncode will use HttpUtility.HtmlEncode internally. There is no specific difference. The reason for existence of Server.HtmlEncode is compatibility with classic ASP.