I'm not generally a fan of filtering input as an approach to protecting from xss, I think it is much better to assume that untrusted content can get past the filters and into the database during input and protect from xss by filtering output. We use NeatHtml in mojoPortal to protect us from untrusted content. The problem with filtering on the front end is that if you later found something got past the filtering there isn't a good way to solve it since the content is already in the database. Therefore we assume the untrusted content in the database probably does have malicious content. Given that assumption it is always possible to improve the output filtering, but if you only filter on input and then assume the content in the db is safe because you filtered it during input you could be wrong and without filtering the output the malicious content that made it into the db can be rendered in your site. For more information see the article protecting from untrusted content. In practice, the white-list approach to filtering output used in NeatHtml has never failed to protect from xss.

That said, you can use the stuff in the toolkit, this article explains the needed web.config configuration, but you'll need to download the toolkit and add the HtmlAgilityPack.dll into the /bin folder since it wasn't bundled with this release of mojoPortal. I will bundle it and include the needed config settings in the next release.

Hope that helps,

Joe