All you've done now is shipped off the responsibility to the API. The API is not bug free, I guarantee you. There will still be XSS vulnerabilities, but they'll just live in the API now.
Imagine you decide to fix buffer overflows by switching from C to Java. You're no longer relying on the fact that your code won't have buffer overflows, you're relying on the fact that (1) the JVM code doesn't have buffer overflows and (2) the JVM will catch all your buffer overflows and throw exceptions.
I feel very confident Java has few, if any, bugs. I do not, however, hold that same level of confidence with most APIs in use today. They simply haven't had the time to become as robust.
However, even then, this does not solve all of your issues. There are times when you need to insert tags dynamically, and once you start doing that, there are a million more ways things can go wrong. Sure, you can put another restrictive API in front of that which requires the programmer to take ten lines to describe the single tag she wants, but those APIs will rarely get used because of this.
At the end, for any class of vulnerabilities, there is always a way to entirely eliminate it. Rarely is it the case, however, that you can do so without dramatic losses in other areas.
I honestly have no idea what you're talking about or advocating, if anything.
If you switch to the JVM, a buffer overflow triggers determinate behavior -- it throws an exception rather than writing over the saved return address or the heap.
The attack surface is by it's nature is much smaller than if you rely on programmer correctness in C.
As for inserting tags "dynamically," this sounds like a broken templating system if that means exposing the programmer to fail-fast (instead of fail-safe) escaping APIs.
Imagine you decide to fix buffer overflows by switching from C to Java. You're no longer relying on the fact that your code won't have buffer overflows, you're relying on the fact that (1) the JVM code doesn't have buffer overflows and (2) the JVM will catch all your buffer overflows and throw exceptions.
I feel very confident Java has few, if any, bugs. I do not, however, hold that same level of confidence with most APIs in use today. They simply haven't had the time to become as robust.
However, even then, this does not solve all of your issues. There are times when you need to insert tags dynamically, and once you start doing that, there are a million more ways things can go wrong. Sure, you can put another restrictive API in front of that which requires the programmer to take ten lines to describe the single tag she wants, but those APIs will rarely get used because of this.
At the end, for any class of vulnerabilities, there is always a way to entirely eliminate it. Rarely is it the case, however, that you can do so without dramatic losses in other areas.