Security Problems
It is worth pointing out that XSS avoidance doesn't actually require that you validate you inputs - so long as when you echo it back out on to a web page you encode it properly so that its not interpretted by the browser.
Now, don't get me wrong as if you don't check your inputs before passing the data on you are exposing yourself to all kinds of potential injection problems. But then, white-listing your input character set isn't going to protect you from SQL injections if you accept apostrophes - which is commonly allowed in surnames. So, while there are some really simple checks that you should do, if you understand the security issues then you can not bother to check your inputs, encode your outputs and write database queries through prepared statements or stored procedures and avoid all the problems eluded to in this article. Question then, is what else do you need to be aware of... XSRF would be a good one to investigate... or maybe you should look for open source or commercial web site testing tools that will automate the task of scanning form parameters (including hidden ones) and URL parameters... etc... etc... etc...
The real issue for IT at the moment is that these security issues require developers understand them and code their applications defensively. Annoyingly its like the law... not knowing is no defence... Even worse is many people like to exasperate security issues rather than simply solving them (even if the solution is only short term while we wait for the hackers to adapt techniques or invent new ones)
Why should XSS be around for some time to come? If the web server understands that all executed and dynamic code must be encoded before being outputted (unless explicitly allowed) then this is nothing more than marking data as dirty and tracking it as it comes out the JSP / ASP.NET / PHP / whatever server side scripting engine.
There are plenty of free resources on the Internet and any developer that isn't already familiar with this stuff should learn it... fast.
Biting the hand that feeds IT
