Blacklisting is not the best or only way to avoid an XSS attack. This web application penetration scenario shows how an attacker could circumvent this safety feature.
Testing Single Page Applications for Broken Access Control Policies
Bank Websites and insufficient process validation – A recipe for Fraud
As web applications become more complex due to the use of various technologies, so will the attack surface of the applications that implement these technologies. Applications that utilize JSON to populate application content are just one example.