It's easy to forget about conditioning data when you are in the midst of getting a product out the door. This is particularly true of web projects. Even Intranet web sites get hacked.
The moral is, don't forget to condition input text. One of the easiest steps you can take is using HTMLEncode:
// Don't do something like this before processing text.
string body = this.Message.Text + "\n";
// Instead, process the message to remove tags like < or >
// with < and > See msdn for a list of characters that are encoded.
string body = Server.HtmlEncode(this.Message.Text + "\n");
This simple change might prevent someone from embedding script in a text control which might run amuck on your web server.