I've been reading the first couple of chapters of Steve Sanderson's MVC 2 book. I haven't learned much about MVC from it that I didn't know from Rails, yet. It does have a decent discussion of XSS and the .NET 4 features to make it less common.
What really caught my interest is the discussion of the Smart UI anti-pattern. This is something I definitely feel I've been guilty of. Using this anti-pattern stems from two beliefs of mine:
One, both client and server side validation should be present. The server has to have it because the client may be malicious. The client should have it because it shouldn't have to do a network round trip to find out fields were required or formatted incorrectly. If I don't need to go the database to validate, I probably don't need to go to the server (but afterwards I will make sure you played fair).
Two, clients should display an elegant and concise UI. Often this mean hiding inputs and information until it is needed. Inserting the necessary logic to do so however creates quite a mess of event handling code. It also makes my code more fragile, since changes in the domain logic now require changes in the event logic as well.
I'm sure there is a clean way to import validation and input relationship logic into the UI without using clipboard inheritance from the domain, but I haven't found it yet.