in reply to Preventing Cross-site Scripting Attacks
The key to solving cross-site scripting attacks is to never, ever trust data that comes from the web browser. Any input data should be considered guilty unless proven innocent.
Couldn't have said it better myself. For more information on the subject consult Essential CGI Security Practices :)