I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In my situation, we are working on a scholarship application process, and we had hoped to use this to all nominees to type up an Essay on-line. We wanted to take the data and re-display it to the review board, but obviously, this is a bad idea.
So I'm wondering if anyone knows of a simple way of validating the content to allow HTML, but not script, perhaps using a CustomValidator or a Regular Expression that I can use in the code-behind. I'm aware that it's better to to white list validation and not blacklist validation, 'm specifically looking for that.
Alternatively, if anyone is aware of a similar control that does protect against XSS attacks, that would be good, too.