When a customers [sic, you need to learn some simple grammar, Curphey!] development team was recently asked to use the AntiXSS library, validate input and encode output for their web interface they replied (and I quote) “we do not use cross site scripting”.
When Mark emailed me I didn’t know whether I should laugh or cry. Seriously, I didn’t know. I was blown away. With all the knowledge out there about security bugs, someone thought XSS was a valid feature.
Does this mean that all the good work done by so many people for so many years is just wasted effort?