Users should not rely on the Request Validation feature to protect against cross-site scripting attacks. As has been demonstrated in many filtering security features, Microsoft made the mistake of only looking for a specific string, and did not consider the many possible variations that could allow malicious script to bypass the filter. While the null character method is the only currently reported method, it is likely that attackers will find other methods to bypass the security filtering.
The methods to bypass the security feature have been published to public web sites. Additionally, the attack is very simple to execute.
HTML encoding should be performed within the application code.