The easiest way I suggest is to use the regular expression coupled with a regularexpressionvalidation control in asp.net...
This will eliminate <> of cross site script attach and also eliminate ' (single quote) for sql injection attack problem.
I used the following regular expresssion for a field name for e.g. TaskName
^[,.&!? 0-9a-zA-Z ]+$
This will ensure that only Alphabets and Numbers and a white space and symbols used in writing like ,.&!? are used.
There is no possibility for the user to start any attack.
Thanks,
Mahernoz.