This content has not been used to retreieve data on the server or execute other server code, nor is it executed on another client, as far as I understand. The malicious user inputs some content and gets it back with a broken page but does not get any new information. I believe this can be expected, as this user attempted to break the page anyway. The developer should sanitize and validate user input in any case, so a server error before that step will not let this validation pass and such data should not be stored anyway. If it is, then the storage is done too early in the page lifecycle and I would personally consider this a flaw in the application rather in the input control.
If there is a way to actually exploit this scenario, I suggest you open a ticket and send us a sample that showcases this scenario, so we can review and respond appropriately.
Telerik by Progress
Telerik UI for ASP.NET AJAX is ready for Visual Studio 2017 RC! Learn more.