Re:This is news? (Score 1)

HTML encode EVERYTHING the user sends to you.

This doesn't help you. Most xss attacks are not about inserting html but using xss to see where a site is exploitable. The common attacks to 'crack' a site are sql injections based on the information used by xss these days. To prevent such behaviour a coder should not bend the rules to keep his managers time schedule. He/she should: type cast data validate anything that can't be type casted quote data in sql queries etc..... There is no other way.