I've been reading up a little on XSS. From what I can tell, you could only get stung by this if you don't clean and convert input and output. Is this correct?
From what I can see, so long as you:
- Convert special characters to HTML entities (E.g. PHP's htmlspecialchars()) when you output if it's not HTML
- Make your cookies are HTTP only
To me, this is all just good practice anyway. And the third point should not strictly be required if you have implemented the first two points correctly.
Is it that simple or am I missing something?