I am trying to protect a user from the impact of other users. To extend the example, a user’s name could be placed in the html shown to another user. This might contain malicious code of some kind I can’t anticipate due to a lack of security knowledge.
Is dealing with this a matter of the CSP headers @felgall mentioned or is there some additional sanitization needed?