What happens if you output unescaped user input?
If you build a webapp targeted for small and friendly crowd - usually nothing. But when you build a website for American presidential candidate... Uh well, it smells like XSS. This weekend, Barack Obama website accepted a comment from a visitor but did not escape nor strip out angle-brackets and quotemarks. A YouTube clip from zennie62 demonstrates the attack. The clip shows a user clicking on the blog section of the Barack Obama site, which caused the browser to redirect to hillaryclinton.com. Funny! :) I still love the design of barackobama.com though.