Cross Site Scripting (XSS) is bad. If your webapp accepts markup as an input, you have to defend against malicious input and output.

XSLT is all about filtering, so why not use it to clean input to your application?

It seemed like a good idea at the time, but I'm still working through it. 

*The Issues*

* Most input is neither well-formed, nor valid.
* Tags aren't in normalized case.
* Oh, and there are character entities to worry over as well.