Because we can talk about <script> tag on HN, the string "<script>" surely is a valid and expected input.
> If you have a user text input that only requires alphanumeric characters, space, period, and comma, then strip out any character which is not one of those things. That field is now no longer a possible source of XSS.
Except when somebody puts such "safe" string in an unquoted HTML attribute... Seriously, thinking of data as "safe" (safe to be carelessly mishandled...) is a fragile approach.
> it depends on someone else remembering to include something in their code
Get a template engine that escapes everything everywhere by default, so you won't need to remember to escape (or "sanitize"!) each thing.
> If you have a user text input that only requires alphanumeric characters, space, period, and comma, then strip out any character which is not one of those things. That field is now no longer a possible source of XSS.
Except when somebody puts such "safe" string in an unquoted HTML attribute... Seriously, thinking of data as "safe" (safe to be carelessly mishandled...) is a fragile approach.
> it depends on someone else remembering to include something in their code
Get a template engine that escapes everything everywhere by default, so you won't need to remember to escape (or "sanitize"!) each thing.