When working with Apex and Visualforce it's pretty easy to go wrong and breach security. If you are developing/listing an app on AppExchange, the security review process makes sure your app complies with the guidelines. But it's good to take care of security, if you're doing Force.com customization for a single org.
For all Force.com developers, this security guideline is a highly recommended reading: http://wiki.developerforce.com/page/Secure_Coding_Guideline
It's mostly safe to encode/escape the stuff getting printed on a page. Most of the Visualforce components, such as <apex:outputField>
, <apex:outputText>
, and so on take care of escaping by default. But in a few cases, it's good to encode the text server side, for example, the following code prints account ID on a page:
/apex/MyPage?Id={!$CurrentPage.parameters.Id}
It will break in case user has passed an attack string in ID, as shown in the following code line:
/apex...