Experienced developers learn what their core business functions are and write whatever software they deem necessary to perform those functions extraordinarily well.... [In] choosing to fight that HTML sanitizer battle, I've earned the scars of experience. I don't have to take anybody's word for it -- I don't have to trust "libraries". I can look at the code, examine the input and output, and predict exactly what kinds of problems might arise. I have a deep and profound understanding of the risks, pitfalls, and tradeoffs of HTML sanitization.. and cross-site scripting vulnerabilities.
Jeff Atwood, Programming Is Hard, Let's Go Shopping!
It's difficult for me to imagine that any core business function of a website is "expose XSS and XSRF vulnerabilities". In my experience, only novices think "I should write my own CGI parameter handling code!" while the experts think "Too much busy work; I'll work on something that matters." In practice, that novice approach is "I'll copy this code I found somewhere else and tweak it until it looks right." That's not learning. That's sympathetic voodoo magic. "I learn better when I code it myself" is an excuse which really means "I don't want to bother learning it at all!"
A real programmer really interested in learning would have started with test cases (and there are copious test cases available for this). Forget the "scars of experience". Instead, take advice from programmers who code with their brains, not their machismo.