> What techniques do you use to insure that your application is not > vulnerable?
Usually I write application so that they do some processing, package up a chunk of data, and hand it to a template. With this structure, all you need to do is HTML-escape the data structure before handing it off, or use a templating tool that defaults to HTML-escaping all printed variables. If you're doing this, nothing the user sends in will pose a CSS threat. - Perrin