Translations:Cross-site scripting/16/en

It does not matter if the escaping is redundant with the validation, the performance cost is a small price to pay in exchange for a demonstrably secure web app. It does not matter if the input comes from a trusted source, escaping is necessary even then, because escaping gives you correctness as well as security.