Web applications are the most frequently targeted for attack from this vector. WIth browser security breaches, attackers are able to inject client-side coding into those vulnerable pages and affect other machines that come in contact with that page. Dangerous indeed. When to use anti-xss methods? Anytime you're outputting something users can tamper with, any attacker can use html characters to add an invisible iframe to the page like;
MUCH safer way to do business for your web application as you've escaped the HTML character into their HTML character entities. These being listed below as;
& = &
< = <
> = >
" = "
' = ' (' is not to be used)
/ = / (forward slash used to end an HTML entity)