Do Not Trust User Data and Actions

Some other web attacks:
unescaped input
sql injection
entry point assumptions

Example:  http://hack.wccnet.org/noescape/

All user data needs to be verified good.
Most languages provide libraries/functions for this
perl:  taint, CGI module, strict, warnings
php:   various escape functions