I had a data string that used “<w>” as the delimiter passed into a javascript function from an event handler in HTML, and that was totally legal in .NET Framework 3.5. However, .NET Framework 4.0 detected that as a potentially dangerous value. By changing the delimiter to a string without the angle brackets, I stopped getting the run-time error. I thought that was a good improvement made in .NET 4.0.