Concerning Cross Site Scripting (XSS), from the client-side perspective, data coming from any server cannot be trusted, even when it's one of your own servers (which may have been hacked).
While it is true that you need XSS protection on your server, it's certainly not a luxury to have additional protection on the client-side.

The kendo.template() function for example can be extended to filter out any unwanted <script> tags. The following code would do it:

<code>
var kendoTemplate = kendo.template;
kendo.template = function () {
    var templateFunction = kendoTemplate.apply(kendoTemplate, arguments);
    return function () {
        var htmlWithoutScripts = $.parseHTML(templateFunction.apply(templateFunction, arguments));
        return $("<div></div>").html(htmlWithoutScripts).html();
    }
};
</code>

The jQuery.parseHTML() function will strip any <script> tags...
I'm not sure what the impact is for performance when there are too many repeated template calls on the same screen, but for normal use the overhead should be minimal.
Maybe this code can be run only for the HTML expressions in the template (#= expression#).

Could this kind of XSS protection be added to Kendo UI by default? Or at least be available as an option?

Best Regards,
Wannes Simons.