Porting from https://aspnet.codeplex.com/workitem/9958:
Please change
ValidationExtensions.ValidationSummary(...)
to use
spanTag.InnerHtml = message
and
listItem.InnerHtml = errorText.
These values are not coming from the public, and there isn't reason to escape it using SetInnerText().
Escaping it means that even simple messages like "Login failed <a href="LostPassword">Lost your password</a>" is impossible.
Please change
ValidationExtensions.ValidationSummary(...)
to use
spanTag.InnerHtml = message
and
listItem.InnerHtml = errorText.
These values are not coming from the public, and there isn't reason to escape it using SetInnerText().
Escaping it means that even simple messages like "Login failed <a href="LostPassword">Lost your password</a>" is impossible.