Hackers are ruthless and they do not care about your site or liabilities. They will try anything. Microsoft has gone a long way to help us, by default, protect against many of these attacks. Which is the way it should be. But there are times when you want your users to submit markup encoded content. Think about when you want your clients, meaning the people paying you do develop and hopefully maintain the application you built, to submit formatted content.