Commonly Asked Cross-Site Scripting Questions | SecGuru
There's a good guide to how Cross site Scripting attacks occur and some of the ways to defend against them over at secguru.
One thing I'd add, is that if you're working in a Microsoft world, using ASP.NET is a very good idea as the default config. seems to make XSS a lot harder to execute (can't remember the exact settings at the moment, ust remembering my frustration last time I had to test an site...)


Security Geek, Penetration Testing, Docker, Ruby, Hillwalking