I am looking to secure my code against XSS attacks, yet all of the examples I have been reading deal with direct user input validation (such as in a contact form or a login).
I'm a bit confused as to if I need to protect my code if there was no way to input directly (ie, my website was only reading from a database and not writing to it)? I'm still thinking I need to because I class my database as an external source, and data within the variables echoed are still coming from elsewhere.
Am I right in thinking that any data read still constitutes user input and should be treated accordingly? Also, if I then added a contact form, would I need to then validate/sanitise/escape every piece of information pulled from my database in every page, or only deal with it at the form itself?