Can you really depnd on validateRequest to catch all the malicious inputs from the client? If yes, where I can catch the exception produced by that? I mean the HttpRequestValidationException.

Well, you should'nt really rely on that aone. You can use Server.HtmlEncode to encode the input, or use regular expressions to check for malicious input.

I am aware of HtmlEncode and Regex but when validateRequest is not set to false in page directives then when you submit the page back to server it catches the malicious input before you can send them to HtmlEncode or Regex.