I am going to show you an old but useful tip in order to prevent command injection in our forms.
First of all, We have this line that does not encode HTML:
In order to encode correctly this output and avoid XSS attacks, you should convert it to this way:
However, ASP.NET MVC introduces this reduced syntax with the same purpose:
Did you see it?
The key is to replace <%= with <%: