Hi everyone,
I've noticed,in TBH,user comments and forum's posts are not being decoded.Is marco not validating these inputs ? or am I missing something ?
And what should we do to validate these user inputs?

I don't know about comments but the posts decode is made by fckeditor!

If you disable the "view code" button from this toolbar the user can't insert html tags, (or they will be decoded by fck)

Thanks Maxxim for ur reply.
I've figured out what I was missing; user comments are being encoded into HTML while being displayed back to the browser, thats what we need to avoid scripting attacks. And I guess you are rite,Forums posts are encoded by FCKeditor.
Sorry,I was using a wrong word, we don't have to "decode" the user content, we "encode" user content into HTML while displaying it back to the browser.

I just got back from the quarterly MSDN event where they discussed security. Microsoft is backing away from Server.HtmlEncode and they prefer a more agressive approach now. Their "Anti Cross-Site Scripting Library" is a small light-weight DLL that we can add to our applications. This uses white-list filtering instead of the black-list filtering in Server.HtmlEncode. The syntax is simple, you just use "AntiXss.HtmlEncode". Get it here:

http://msdn2.microsoft.com/en-us/library/aa973813.aspx

I'm not saying we should tear into the FCKeditor, but there are other places where we can leverage this library.

Eric

nice article Eric!

Thanks for the share!
I will save the link for sometime when I had more time and read it all!

Thanks eric for sharing this information. But I'm surprised to see that this article exists at MSDN since Nov. 2006 but its first time I'm hearing about it!