Understanding XSS and How to Prevent It
There was recently a completely stupid XSS story covered on Slashdot whose main argument is quoted below.
Fortunately, this is completely bullshit. We will later discuss what kind of countermeasures can be taken, but first of all make sure you know what XSS is. For that purpose I suggest to read the XSS FAQ.
Hope you realize that you will never catch all the possible cases because there are simply too much hacks and tricks to bypass your filter. Therefore use whitelists. If done right it’s even better to use a completely HTML unrelated template language such as bbcode which are often found in forums and wikis.
So as you have seen, it is entirely possible to prevent Cross Site Scripting. It’s even easier because most languages supply such functionality, for example in PHP there is htmlentities() available. Therefore, it basically comes down to the laziness of the programmer.
To see what can happen because of XSS vulnerabilities see for example the myspace worm.