This strategy is directly akin to anti-virus pattern updates.
Unless the business will allow updating "bad" regexes on a daily basis and support someone to research new attacks regularly, this approach will be obviated before long.
Adopting this strategy means that you will have to maintain the list of "known bad" characters and patterns forever, and you will by definition have incomplete protection.
It can take upwards of 90 regular expressions (see the CSS Cheat Sheet in the Development Guide 2.0) to eliminate known malicious software, and each regex needs to be run over every field. Just rejecting "current known bad" (which is at the time of writing hundreds of strings and literally millions of combinations) is insufficient if the input is a string.
As an alternative you can also try our non-DTD-based validator.
Integrity checks must be included wherever data passes from a trusted to a less trusted boundary, such as from the application to the user's browser in a hidden field, or to a third party payment gateway, such as a transaction ID used internally upon return.However, simply preventing attacks is not enough - you must perform Intrusion Detection in your applications.Otherwise, you are allowing attackers to repeatedly attack your application until they find a vulnerability that you haven't protected against.In many cases, Encoding has the potential to defuse attacks that rely on lack of input validation.For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks.