How well do you know XSS? Do your defenses end at blacklisting alert("xss")? Let's hope not. In fact, if you are blacklisting at all to prevent XSS you are fighting a losing battle.
What's the correct approach? Well, you need to consider where you tainted data is going and then use the appropriate escaping technique. And just for the record, html entity encoding won't work everywhere :)
If you are interested in the positive approach for preventing XSS then check out OWASP's new XSS Prevention Cheat Sheet
Here are a few cool things that are discussed:
- Injecting Up vs Injecting Down
- Attribute Escaping
- Javascripting Escaping
- CSS Escaping
- URL Escaping