[ToastOpt]

I think that's what Sidnic meant by templating -- that you have precisely one well tested encoding step in the system, near the end. This reduces the number of failure modes you need to test for.

In a previous project, we didn't even have an effective means of counting all the potential points of failure; you really don't want that, because it takes a lot of effort to fix.

[spjwebster]

Sometimes templating isn't an option, or isn't enough. You have to make sure you escape in the right context.

I've seen developers use PHP's htmlspecialchars() (or hand-rolled versions thereof) when rendering snippets of inline JavaScript. The problem is that only HTML entity encodes <, >, &, ', and ", which still leaves you open to XSS because it doesn't encode all the characters that can be exploited in a JavaScript context.

Following the OWASP guidelines will negate all of that danger.