Check out the patterns and practices site for security in .NET.
Don't just rely on some of the built-in features of ASP.NET. For example, the ASP.NET 2.0 Internet Security Reference Implementation
uses custom functions to encode input because ASP.NET’s
Server.HtmlEncode "only encodes <>"& characters. This is not
sufficient to protect against all possible attacks. The authors also
reference the Microsoft Anti-Cross Site Scripting Library V1.0 to fight against unproven (aka evil) input.![]()
Likewise, the app discourages the use of DataBinder.Eval()
when displaying content from the database. "While Eval is sometimes
safe to use on purely static data, it is best to avoid it completely as
it has the potential to allow an attacker to execute arbitrary code on
the host server."