I have a form where any characters are acceptable input. Obviously this leaves me vulnerable to XSS attacks. I know there are a few options such as making sure validaterequest is set to true on my asp.net pages, and/or using the html encode utility. If I do this however I wont be able to get the form to submit since I get the "a dangerous request...." error due to the characters I am allowing to be input. The problem I have is I dont neccesairly want encoded data input into my MSSQL database for a variety of reasons. The main reason is displaying the data and or decoding the data through ad hocs and SRS reports is not easy.
My question is what is the best way to handle the above situation?