On Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here's an excerpt.

When a customers [sic, you need to learn some simple grammar, Curphey!] development team was recently asked to use the AntiXSS library, validate input and encode output for their web interface they replied (and I quote) “we do not use cross site scripting”.

When Mark emailed me I didn't know whether I should laugh or cry. Seriously, I didn't know. I was blown away. With all the knowledge out there about security bugs, someone thought XSS was a valid feature.

Does this mean that all the good work done by so many people for so many years is just wasted effort?