XSS
the browser parse HTML string depends on the context, also the specification for different browser or different version of the same browser are different, so it is hard to do the sanitization on the server-side
Whitelist Validation and Blacklist Validation