What is the way(best practice) to deal with XSS?

I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is 开发者_JAVA百科it really sufficient ?

I have visited some of the related post on stackoverflow and that helped me but i am looking to understand how to plan for XSS when developing web sites ?

Do we have to check XSS on client side, AJAX also ? How to do that ? Are there any tools which can help testing the XSS ?

Thanks,

These are the basics:

• Do not allow HTML input
• Always html encode input when displaying it
• Use the AntiXSSLibrary from Microsoft, or a similar library

Check it out: Allowing HTML and Preventing XSS @ shiflett.org