Anil has some interesting observations about Julia's posting on the ASP.NET Request Validation feature in ASP.NET 1.1, which provides some protection against cross-site scripting attacks. A bit of background on this feature: After we shipped v1.0, one of the pieces of customer feedback we got was that it was too easy for developers to make the mistake of leaving their site unprotected from cross-site scripting attacks. In fact, Dmitry, our dev manager, actually went on several prominent commercial sites (some, but not all, running ASP or ASP.NET), and found that a few were prone to cross-site scripting attacks. As part of the philosophy of securing by default, we decided to create the request validation feature, and turn it on by default, so...