A potentially dangerous Request.Form value was detected from the client (spanContent="... <span><p>
I think you are attacking it from the wrong angle by trying to encode all posted data.Note that a "<
" could also come from other outside sources, like a database field, a configuration, a file, a feed and so on. Furthermore, "<
" is not inherently dangerous, its only dangerous in a specific context: when writing unencoded strings to HTML output (because of XSS). In other contexts different substrings are dangerous, e.g. if you write an user-provided URL into a link, the substring "javascript:
" may be dangerous. The single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.
validateRequest="false"
<httpRuntime requestValidationMode="2.0" />