I think the real answer to this one is not really. Most of the possible attacks are either unrealistic or only possible if you're doing something stupid to begin with.

That said, there is still no excuse to trust user input. Always protect against XSS like you always protect against SQL injection.