XSS-Angriffe wollen deinem Code nichts Böses
In den Beitrag Threat Modeling, quick recommendations findet sich diese erwähnenswerte Passage:
However if we look at a vulnerability like XSS, it isn’t a threat to your own code, it is a threat to external entities (in this case, client browsers), and the best mitigation is to sanitize (HTML encode) data as it leaves your application rather than validate it as it enters (now you still need to validate it as it enters to make sure it isn’t malicious to your code, but don’t worry about flat out stopping xss with input validation if you can output encode).
Um XSS-Angriffe zu verhindern ist die Kodierung der Ausgabe der Validierung der Eingabe vorzuziehen – „if you can“!.