Nevow's Stan has what I think is a better answer. Rather than putting the information about whether a particular field is supposed to be quoted or not in the template, where it is difficult to verify that it matches the logic producing that field, it puts it in the value to be interpolated. If you put ordinary strings into your template, they are automatically quoted as HTML; if you have a variable that contains raw HTML that you don't want to quote, you have to put it into a special kind of object that has a different "flatten method."
In this way, the XSS-free-ness of the data flow is verifiable incrementally: user inputs start as strings, and if they remain strings, you're safe, because they'll be quoted. If at any stage you do something funky that will avoid a string being quoted, that decision is clearly located at one point in your program, hopefully next to the code that makes sure that string is safe to not be quoted.
This is the dynamically-typed equivalent of Joel Spolsky's suggested Hungarian solution to the problem.
no subject
In this way, the XSS-free-ness of the data flow is verifiable incrementally: user inputs start as strings, and if they remain strings, you're safe, because they'll be quoted. If at any stage you do something funky that will avoid a string being quoted, that decision is clearly located at one point in your program, hopefully next to the code that makes sure that string is safe to not be quoted.
This is the dynamically-typed equivalent of Joel Spolsky's suggested Hungarian solution to the problem.