If you haven't checked it out yet, make sure to read the two newest articles on developerWorks Security:
Protect your apps from cross-site scripting (XSS) attacks, which has an actual sandbox for you to play in. This article is based off our wildly popular tutorial: Prevent cross-site scripting attacks by encoding HTML responses.
Another tutorial we recently published, Create a security-based and machine-learning front end, teaches you how to create a security front end that automatically learns the proper format for application inputs. Where human error fails to cover all bases, your front end will greatly reduce the risk that applications face.