Reference:
eval - Prevent Cross site scripting attack in asp.net C#[
^]
To prevent XSS when using TemplateField on .NET Frameworks 4.0 or older you can use
Microsoft Web Protection Library[
^] on the aspx page. On .NET Framework 4.5 and above, it is already integrated with the Frameworks.
Frameworks 4.0 or older.
<ItemTemplate>
<asp:Label ID="Name" runat="server"
Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(Eval("Name").ToString()) %>'>
</asp:Label>
Frameworks 4.5 and above:
<ItemTemplate>
<asp:Label ID="Name" runat="server"
Text='<%#System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("Name").ToString(),true) %>'>
</asp:Label>
This will encode your label when they rendered. Use it only for the ItemTemplate, EditItemTemplate render has html input text and it will be encoded by the framework by default.
Another article that would be a good read:
Preventing XSS in ASP.Net Made Easy[
^]