Which two measures are most effective in protecting websites from cross site scripting (XSS) attacks?

If need to select appropriate answer or 3 options then correct answer would be
ABD

Why D ?
Explnation : A critical rule you’ll learn when developing secure applications is to assume that all data received by the application is from an untrusted source. This applies to any data received by the application — data, cookies, emails, files or images — even if the data is from users who have logged into their account and authenticated themselves.

Not trusting user input means validating it for type, length, format and range whenever data passes through a trust boundary, say from a Web form to an application script, and then encoding it prior to redisplay in a dynamic page. In practice, this means that you need to review every point on your site where user-supplied data is handled and processed and ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered and encoded.

Why A and B ?
Explanation:
Client-side validation cannot be relied upon, but user input can be forced down to a minimal alphanumeric set with server-side processing before being used by your Web application in any way. You can use regular expressions to search and replace user input to ensure it’s non-malicious. This cleaning and validation should be performed on all data before passing it on to another process. For example, a phone number field shouldn’t accept any punctuation other than parentheses and dashes. You also need to encode special characters like “” before they are redisplayed if they are received from user input. For example, encoding the script tag ensures a browser will display but not execute it. In conjunction to encoding, it is important that your webpages always define their character set so the browser won’t interpret special character encodings from other character sets.