I've read the ASP.NET security principles
http://msdn.microsoft.com/en-us/library/ff647397.aspx
While not a security problem, when a user enters an HTML code then it displays an error page. What are the design patterns/ways around them getting the custom error page? Is it required I HTML encode everything?
I have, for example, a password field where I've not been encoding that field. Is there a way to check for any HTML code and return an error? Or just to catch this exception.
Somehow throwing up an error page doesn't seem like the best solution but not sure what would be.
