> Naturally, they need to somehow check
No need. This is a very common mistake.
The received data and XSS are not connected in any way.
You just need to get the data right .

Alternatively, here is an answer to a similar question.

XSS is okay, there was a post http://www.nearform.com/nodecrunch/release-the-kracken-how-paypal-is-being-revolutionized-by-node-js-and-lean-ux and a thing flashed there under the name Lusca , but Google did not suggest anything.

`Validators and Normalizers`. First - usually, for each model we have a separate entity (class) with validators, and also when receiving data, for example, in a post request, we normalize them - here is a similar answer.

RegExp patterns (normalizer and further validators) on the server side.

Cross-site scripting is a user-side vulnerability that differentiates between persistent and non-persistent XSS. In the first case, this is the code that the attacker manages to embed on the page and it works when the user visits this page. Non-persistent XXS, this is the URL that will contain the malicious code.
The easiest way to protect yourself is to clean up the input data filters, for example
filter_var($url,FILTER_SANITIZE_SPECIAL_CHARS)
In your case, for starters, I would recommend first establishing which forms to fill out and submit data are a threat. You can create a SQL injection or inject JavaScript and steal the admin session Cookie. Or you can upload a specially configured file with a payload and run it using an exploit in outdated software.
In order to find places on the site vulnerable to XSS and other vulnerabilities, try an online scanner like METASCAN . It will show the weak points of the site and they can later be "closed".