[eluser]WanWizard[/eluser]
Read it. And find it of limited use.
None of the examples given pose a thread in itself. Whether or not a string is a thread, depends on where you use it. "FORMAT C:" is a totally innocent string. Unless typed in on the commandline of a Windows box.
The examples used 'could' be a thread if you echo the post variable back as part of an HTML tag. How likely is that, for anyone with a bit of common sense?
And, since the article was published only a few weeks ago, he could have checked 2.0 as well. Which would have revealed that the XSS clean functionality has been completely rewritten, which includes, amongst others, encoding.
I agree with Jelmers response to the article that global xss cleaning is often unnecessary, or even unwanted, and that you should always be conscious about the possible security issues with the application your building. And act upon that.