Still there are applications developed using webform. In your application when a user enters html tags for cross site scripting or load malicious script to inject into your site in your forms and submit you will get the following error

A potentially dangerous Request.Form value was detected from the client

Eventhough handles the html tags submission but it throws the above error and it looks ugly.

We can use a custom validator along with the input controls and prevent the form being submitted before. In this snippet, i am using only 4 html tag varieties, you can use any combination you want.

Your .aspx page – no codebehind

<html xmlns="">
<head runat="server">
    <script type="text/javascript">
        function validateText(sender, args) {
            var ctrlId = document.getElementById("<%=TextBox1.ClientID%>");
            var str = ctrlId.value
            str = str.toLowerCase()
            if (str.includes("<") || str.includes("src=") || str.includes("<a") || str.includes("href=") || str.includes("<html")) {
                args.IsValid = false;
            else {
                args.IsValid = true;

    <form id="form1" runat="server">
            <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
            <br />
            <asp:CustomValidator ID="CustomValidator1" runat="server" ErrorMessage="Invalid Characters" ControlToValidate="TextBox1" Display="Dynamic" ClientValidationFunction="validateText"></asp:CustomValidator>
            <br />
            <asp:Button ID="Button1" runat="server" Text="Submit" />