Untrusted input is one vector -- but XSS comes from a lot of places: third-party JS (google analytics, etc.) -- domain compromise, DNS hijacking -- all over. It's significantly harder to prevent.
This article really only discusses the content from a web perspective, if you're doing native mobile stuff it's a whole different story =D
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.