Inside the new ValidateRequest feature
Great, but my point is still valid, this break the rules.
Because I think about production environment. Because I talk about sites went live since few months, and suddenly a new rule come without any publicity, and change the rules, creating errors.
This is what I call a very bad mistake to implement a new rule which break your code.
I would prefer to have this feature having a false value by default, and some strong recomendations by .Net team to turn it on rather than now having to check every single page.
I must say that I completely disagree. Microsoft's job is to make their software as secure as possible right out of the box. They did an incredible job with Windows Server 2003 in this area and .NET 1.1 is part of that effort. I was bitten by this change on 3 websites, but it's pretty simple to add an attribute to the web.config and fix it. I think they did the right thing.