I don't know if this qualifies as evil, stupid, both, or neither, but here's a story.
So, what to do? Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule. I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.
Again, may be evil, but felt so good. When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:
<add name="ValidateInput" type="Corillian.Web.ValidateInput,ValidateInputASPNET10" />
A couple of interesting questions came up, one of which was...
A while loop is expanded when compiling IL, and the C# equivalent is something like this:
index = (index + 1);
if (index >= len)
Should I (for tidying up's sake) roll it back up to something like this:
//Programmer intent: look for non-alphas...
while (index < len)
or just leave well-enough (and well-equivalent) alone? Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.