In our experience in Google’s security
team, code inspection and testing do
not ensure, to a reasonably high degree
of confidence, the absence of XSS bugs
in large Web applications. Of course,
both inspection and testing provide
tremendous value and will typically
find some bugs in an application (perhaps
even most of the bugs), but it is
difficult to be sure whether or not they
discovered all the bugs (or even almost
all of them).