Potential script injection danger with Event validation turned False!

Oct 3, 2009 at 8:53 AM

There are some pages, which contain the embedded Xinha textbox control, on which EventValidation is turned False. My question is that with this attribute turned off could there be a potential risk of Script injection in the code? If yes, then shouldnt we use HtmlEncode to convert the text string first before we save it to our database?