Pretty cool analysis. The "ASP.NET's ValidateRequest stops XSS so its up to the dev to mess it up" is incorrect. Ignore esoteric attacks like double/triple encodings, etc. Lets do something basic. " onmouseover="alert('xss')
ValidateRequest does not stop attribute injection attacks. Syscan - Next Generation .NET Vulnerabilities.pdf | 
