With reference to the source code of the latest version of the Feedback module, I see the Feedback.ascx file already incorporates ASP.NET validation controls in it, and these obviously take care of more than 1 validation scenario :

<asp:requiredfieldvalidator id="valEmail1" runat="server" cssclass="NormalRed" display="Dynamic" errormessage="<br\>Email Is Required."
controltovalidate="txtEmail" resourcekey="valEmail1" ValidationGroup="FeedbackForm"></asp:requiredfieldvalidator>
<asp:regularexpressionvalidator id="valEmail2" runat="server" cssclass="NormalRed" display="Dynamic" errormessage="<br\>Email Must be Valid."
controltovalidate="txtEmail" resourcekey="valEmail2" ValidationGroup="FeedbackForm" validationexpression="[\w\.-]+(\+[\w-]*)?@([\w-]+\.)+[\w-]+"></asp:regularexpressionvalidator>

Please correct me if I'm wrong, but aren't these validators supposed to take care of server-side validation as well (in scenarios where JS is disabled on the browser or when the EnableClientScript for the control itself is set to false)?.And can't HTML/SQL/Script input validation also not be done with these validator controls? If that's the case, then why is there a need for additional code in feedback.ascx.vb:

See line 311 in feedback.ascx.vb :

Dim strBody As String = objPortalSecurity.InputFilter(txtBody.Text, _
PortalSecurity.FilterFlag.NoScripting And _
PortalSecurity.FilterFlag.NoSQL And PortalSecurity.FilterFlag.NoMarkup)

And the code above will not allow you to two types of validations at the same time, i.e., if you choose nosql, it doesn't do the check for nomarkup, noscripting, whereas the validation controls take care of more than 1 type of input validation. Also, friendly error messages are not being displayed with the above code, whereas the same can be done with validation controls using the errormessage attribute.

I mean, wouldn't stopping invalid/dangerous inputs altogether via the ASP.NET validation controls be better than stripping or replacing invalid input (while at the same time, accepting it) ? Is this something to do with how DNN works?

Sanjay, my last 2 emails went unanswered, so I assumed you were too busy, hence I posted for others' benefit, besides mine. I'm not at all trying to get others to do changes on my behalf. On the other hand, I was trying to understand the input filters-why they're required when ASPNET validation controls are already available and you yourself said that the filters cannot filter 2 or more invalid inputs whereas, IMHO, we can insert any number of ASPNET validation controls to handle all types of invalid inputs and all of these would not only be processed to display friendly error messages but would also altogether stop the inputs from being saved in the database.

Sebastian,  don't the ASPNET validator  controls  perform these very same functions even on the server-side and they can also additionally display friendly error messages?  I'm not saying that the input filters are bad, but I'd prefer stopping all invalid inputs from being saved rather than just stripping away/encoding invalid characters and storing the rest in the DB. And wouldn't using both the ASPNET validators as well as the input filters be overkill?