I made a page where something entered in a TextBox, is displayed "as-is" on a Label control
Since i am a beginner, I just made:
Label1.Text = TextBox1.Text.ToLower();
Is this dangerous? I tried something but it seems that Label controls only takes text, i i felt confident that is safe
Maybe is dangerous if the user will insert some escape command?
Why not do Label1.Text = Server.HtmlEncode(TextBox1.Text.ToLower()); You can read more about it here. Not doing that may make you vulnerable to Cross Site Scripting depending on how your app is configured.
So in answer to is it dangerous- it depends. Though ASP.NET validates user input to exclude HTML/scripts this may be turned off. Better not to take the risk! You can learn about ASP.NET's request validation feature here.
Yes definitely this is. Nothing user enters specifically from public web page should be trusted.
You need to clean anything entered by user before committing it to database or displaying in browser.
At lease HtmlEncode it as suggested by RichardOD. You can use Microsoft's AntiXSS library for cleaning user input.