It is your job to escape output in Solar views to prevent Cross Site Scripting
Use the built in escape helper.
echo $this->escape($potentially_unsafe_value);
As a general rule, all Solar view helpers that output html escape their output. Here are the exceptions. Be careful with these helpers.
getTextRaw allows a translated string to contain html. One thing to watch out for is that data passed to the replacements parameter of getTextRaw will not be escaped.
One must pre-escape replacement values before calling getTextRaw(). One must NOT pre-escape replacement values when calling getText() to avoid double escaping for this function.
publicHref can return raw values if the second parameter is TRUE. A variety of other helpers use this feature.
linkStylesheet does not escape its href parameter.
scriptInline does not escape its code parameter.
linkStylesheet does not escape its href parameter.
The head view helper does not return HTML.
One thing to watch for is passing already escaped output to a view helper that will escape the output again.
echo $this->anchor($href, $this->escape($title));
Here, $title will be escaped twice, perhaps causing unwanted output.