I've got a custom Gridview. In one thread
> A callback is performed, and the callback returns to the browser an HTML string that represents an "insert row".
> The "insert row" is added to the Gridview table in the DOM using JS.
> The user adds info to a MainText field in the insert row and then initiates an "accept entry"
> During "accept entry", the contents of the MainText field are placed in a hidden field (call it
"TextReturn", and then the page is posted back to the server
> In Page_Load, a function is called that operates on "TextReturn"

What are some different approaches to validating that the TextReturn field value does not contain malicious code?

Related thoughts: can I do something with the TextReturn field back at the server during Page_Load, or is that "too late"...do I need to take care of it at the browser? How might I "take care of it"...are there any built-in ASP.NET or JS functions that might help? (BTW, I'm looking at Atlas, but don't want to count on it yet, and am not sure it would allow the same function and performance as with this specific row insert operation.)

Any guidance on this would be appreciated.

Thanks!