微软是没有错的句子，但在另一方面还远远没有完成，他们的判决是危险的。

Microsoft is not wrong in their sentence, but on the other hand far from complete, and their sentence is dangerous.

由于在默认情况下，validateRequest ==真的，你的确应该EN code，以便他们进入摆在首位和旁路validateRequest服务器在客户特殊的HTML字符。

Since by default, validateRequest == true, you indeed should encode special HTML characters in the client in order for them to get into the server in the first place and bypass validateRequest.

但是 - 他们应该强调的是，这是肯定的不是替代的服务器端筛选和验证

But - they should have emphasized that this is certainly not a replacement for server side filtering and validation.

特别是，如果你必须接受HTML，最强的建议是使用白名单，而不是黑过滤（即允许非常特殊的HTML标签，并消除所有的其他人）。 微软AntiXSS库使用强烈建议强大的用户输入过滤。这远远超过重新发明***自己。

Specifically, if you must accept HTML, the strongest advice is to use white-listing instead of black filtering (i.e. allow very specific HTML tags and eliminate all the others). Use of Microsoft AntiXSS library is highly recommended for strong user input filtering. It's far better than "re-inventing the wheel" yourself.