For your websites to be Cross site scripting (XSS) safe, the following rules need to be followed:
1. Do not use the built-in WYSIWIG editor (HTML area (Formatted Text) form control) to allow live site users to enter text (e.g. in user profiles, forums, etc.). Instead, use the BBcode editor.
You can make users use the editor by selecting BBcode editor as the value of the Form control property when defining fields for document types (or other objects), as shown in the following image.
2. When writing your transformations, use the following method to resolve text entered via the BBcode editor:
3. When writing your transformations, use the Eval(string columnName, bool encode)method with the second parameter enabled to display content of any field whose content was entered by the users, e.g.:
<%# Eval("PostSubject",true) %>