Use of contextually auto-escaping
template systems dramatically reduces
the potential for XSS vulnerabilities: in
(9), the substitution of untrustworthy
values profile.name and profile.
blogUrl into the resulting markup
cannot result in XSS—the template system
automatically infers the required
HTML-escaping and URL-validation.