One of the most frequent vulnerabilities in modern PHP applications is cross-site scripting(XSS). As with most security concerns, proper data filtering can practically eliminate the risk of cross-site scripting. However, in this case, the real risk is when foreign data is used in your output and thereby potentially displayed to other users.This is fairly typical for applications such as Webmail, forums, wikis, and even 404 handlers.

The best defense of cross-site scripting is to use functions such as htmlspecialchars() or htmlentities() on data prior to displaying it. Of these two functions, htmlentities() is better for this purpose because it is more inclusive in
terms of what entities it encodes.

This is a blacklist approach, but because there are a finite number of well documented characters that have a special meaning within HTML, it is actually a pretty
strong approach in this case. Of course, it is still best to be strict in your data filtering. If you are expecting a person’s first name, should valid JavaScript make it through your data filtering? Hopefully you agree that this is not desirable.

Other functions such a strip_tags() (that attempts to remove all valid HTML and PHP) can also help in preventing cross-site scripting vulnerabilities, but this is an example
of a somewhat weaker blacklist approach than what htmlentities() provides.