I’m still astounded by how many agencies are still rolling their own CMSs. There is no reason to be doing that in this day and age.
I’ve just read an announcement from a previous agency I worked with, an agency who I setup with an awesome Django stack, that they have released a new version of their own proprietary CMS. Within this announcement they post links to some of the sites they’ve completed in their new system. Every one of them has XSS holes.
If you do not know enough to prevent against XSS you are in no position to be developing such a complex piece of software. Other much smarter people have done the hard work for you already. Use it. There is zero benefit to your clients from rolling your own, but many, many disadvantages. As well as the security there is the issue of vendor lock-in.
If you need a website developed please, for your own sake and sanity, ensue the agency is using an open-source system* or be prepared to pay a premium to make another agency eat their proprietary dog-food, if you ever need to move.
* even if it is not open-source, ensure that it is from a 3rd party and has a healthy developer community such as Magento, Perch or Expression Engine.