I've been reading up a little on XSS. From what I can tell, you could only get stung by this if you don't clean and convert input and output. Is this correct?

From what I can see, so long as you:

  • Strip JavaScript from any user input using rich text editors (CKEditor does this by default anyway) if it is HMTL or
  • Convert special characters to HTML entities (E.g. PHP's htmlspecialchars()) when you output if it's not HTML
  • Make your cookies are HTTP only

To me, this is all just good practice anyway. And the third point should not strictly be required if you have implemented the first two points correctly.

Is it that simple or am I missing something?