Blacklisting is not the best or only way to avoid an XSS attack. This web application penetration scenario shows how an attacker could circumvent this safety feature.
Many applications on the Web have role-based access controls, with different functionalities for each role which determines what a user can do and which content they see.
Bank Websites and insufficient process validation – A recipe for Fraud
As web applications become more complex due to the use of various technologies, so will the attack surface of the applications that implement these technologies. Applications that utilize JSON to populate application content are just one example.