The best defense against XSS attacks is good filtering of input.
If you allow users to send messages to each other, for example, you really must filter all input from the sender to make sure it's secure.
In some cases this might be obvious, but consider the case where you allow a user to input a website URL on their profile pages:
Some sites will allow you to enter a URL, then they will display it as a clickable link such as:
<a href="URI">URI</a>If you don't filter spaces from the input, and quote marks, a user can abuse this to be malicious by giving http://foocome" onMouseOver="alert(document.cookie) as input. This leads to the malicious
<a href="http://foocome" onMouseOver="alert(document.cookie)">http://foocome" onMouseOver="alert(document.cookie)</a>A good Perl module for filtering all input is HTML::Scrubber which allows filtering of attribute and script values.