For your websites to be Cross site scripting (XSS) safe, the following rules need to be followed:
1. Do not use the built-in WYSIWIG editor (HTML area (Formatted Text) form control) to allow live site users to enter text (e.g. in user profiles, forums, etc.). Instead use the BBcode editor.
This editor is displayed by selecting BBcode editor as the value of the Form control property when defining fields for document types (or other objects):
2. When writing your transformations, use the following method to resolve text entered via the BBcode editor:
3. When writing your transformations, use the Eval(string columnName, bool encode)method with the second parameter enabled to display content of any field whose content was entered by the users, e.g.:
<%# Eval("PostSubject",true) %>