A potentially dangerous Request.Form value was detected from the client

I understand I can use validateRequest="false" to by pass ASP.NET security. I'd like to know what secur开发者_如何转开发ity issues setting this flag may cause. Can I be 100% sure there won't be any issue as long as I encode the input using a XSS library?

As I understand, this validation protects only from '<' and '>' characters, and therefore you are protected form e.g. someone putting <script> alert('f word')</script> in your blog post comment...

I had to turn it off in a few applications and (as mentioned) as long as you do encode your output you should be fine. And request validation should not be your only weapon for XSS prevention - How To: Prevent Cross-Site Scripting in ASP.NET.

On the other hand if you are using MVC3 you can disable request validation at a more granular level

As long as you properly encode data displayed in the resulting HTML page you are pretty safe.