my own specs, and I never leave input validation out.

all user input is validated for the content type expected.
no user input is run as script.
( code tag any user input on validating if it contains scripting data )
all input also has session key tied to the validation, if no valid session key, then input rejected.
( helps keep cross site scripting vulnerabilities and errors down )

why anyone hasn't set up thier own sanitisation functions that they use automatically in todays environment is beyond me.