Security flaws are the result of human error. Computers do exactly as they are told. To counter this I have a rigorous set of controls in place that enforce safer coding practices.

To counter XSS each PHP page I develop is forcefully separated into a logic file and a template file. The only way to pass information from one to the other is through an output class that either properly escapes data or requires that I explicity request that the data is passed in it's raw format (e.g. for WYSIWYG use by clients).

Countering persistent XSS is done similarly. The database classes (discussed here) can only provide unescaped data when accessed via the logic file and are explicitly requested to return raw data. Thus I must actually go out of my way to directly output user-provided data.

CSRF attacks are mitigated through classes that extend Pear's HTML_QuickForm to automatically generate, append and later check for valid tokens.