From the "It's not Chris Shiflett, but it's still security" department today, there's this short post on Nitesh Dhanjani's O'Reilly blog that talks about XSS (Cross-site scripting) issues and some of the root issues that can cause it.

I’ve been spending a considerable amount of time auditing web applications, and I’ve come to realize that a large amount of developers do not understand the root cause of Cross Site Scripting (XSS) vulnerabilities. The most common mistake committed by developers (and many security experts, I might add) is to treat XSS as an input validation problem.

I have come across instances where such APIs don’t encode certain characters that can lead to XSS when more complicated variants of input are attempted. Therefore, I frequently and highly recommend RSnake’s XSS cheat-sheet to test web based applications and services for XSS vulnerabilities. If you are a web developer or tester, I do recommend that you test your application with the inputs suggested by RSnake to test for XSS issues.

To be fully covered from any XSS bugs that might rear their ugly heads, you definitely need to filter both the input and output of the script. You can never be too careful - users can be a crafty bunch, and you never know where they might sneak something in..