Those issues are only relevant to applications that display arbitrary HTML and already have XSS issues. Avoiding XSS is doable; with most web frameworks you're protected from XSS by default and have to specifically turn off the safeties to get XSS.