RadGrid GridBoundColumn values are not HTML encoded by default (see screenshot), so there is a risk of cross site scripting attack.

Extract from code behind:

protected void Page_Load(object sender, EventArgs e)
{
    string[] str = new string[] {
        "test
string

"
    };

    radGrid.DataSource = str;
    radGrid.DataBind();

    GridView1.DataSource = str;
    GridView1.DataBind();
 }

There is no Html encode option available at this moment so the best you can do is to encode values with ItemDataBound event:

protected void RadGrid1_ItemDataBound(object sender, Telerik.WebControls.GridItemEventArgs e)
{
    if (e.Item is GridDataItem)
    {
        GridDataItem item = e.Item as GridDataItem;
        item["Content"].Text = Server.HtmlEncode(item["Content"].Text);
    }
}

More information about this on Telerik support forum.

Another option is to create new new class which inherits from RadGrid column (e.g. GridBoundColumn) and override its PrepareCell method:

ASPX page:

Code behind:

public class MyGridBoundColumn : Telerik.WebControls.GridBoundColumn
    {
        private bool _htmlEncode = true;

        public bool HtmlEncode
        {
            get { return _htmlEncode; }
            set { _htmlEncode = value; }
        }

        public override void PrepareCell(
            TableCell cell,
            Telerik.WebControls.GridItem item
        )
        {
            base.PrepareCell(cell, item);
            if (_htmlEncode)
            {
                cell.Text = HttpUtility.HtmlEncode(
                    cell.Text
                );
            }
        }
    }