In looking around for XSS handling under various platforms, I was surprised how little the visiting-evil-website version of the hack was mentioned. Most people are implementing input validation.
As of the 1.1 version of ASP.NET, Microsoft turned on validation by default.
ASP.NET Request Validation and Cross-Site Scripting There were lots of complaints from their user-base, but it makes sense to be more secure out of the box, then allow savvy administrators to relax security.
I'm still trying to get my head wrapped around the whole thing, but from my simplistic viewpoint, would the following work for a given website: (1) input validation everywhere, (2) administrator education that you don't wander with your browser, i.e. open/close whenever in admin role. #2 wouldn't protect against a teacher getting her class area hacked, but social engineering would help prevent OpenACS admin accounts from being misused.
