One of the security principles is sanitizing strings and variables passed from client to server. In plain PHP there are some functions to prevent XSS (Cross-site Scripting) vulnerabilities:

• htmlspecialchars()
• strip_tags()

What is Drupal 8 strategy to prevent XSS attacks? How can I clean up client data post to protect my site from XSS attacks?

I remember Drupal 7 has filter_xss() to prevent XSS vulnerabilities, but what is Drupal 8 strategy against XSS vulnerabilities?