After reading the ASP.NET request validation causes: is there a list? post regarding what causes ASP.NET to complain about dangerous inputs I decided to write my own regular expression to use in a RegularExpressionValidator.
I created a regular expression for testing points 2 and 3 from Travis's accepted answer...
- 2 - If the
&
character is in a&#
sequence (e.g., 
for a non-breaking space), it's a "dangerous string."- 3 - If the
<
character is part of<x
(where "x" is any alphabetic character a-z),<!
,</
, or<?
, it's a "dangerous string."
^(.)(&#)+|(<[a-zA-Z!/\?])+(.)$
This seems to work great using the tester on regexlib.com as it matched all the things you'd expect and nothing you wouldn't.
But when I use the expression on an ASP.NET RegularExpressionValidator the validator fires on any text at all! It does the same on Firefox or IE and whether EnableClientScript is true or false. I'm using .NET 4.5.1, but I don't expect that makes any difference. Any ideas why and how to fix it or why it isn't working?