How to prevent our PHP code by cross site scripting?
Cross site scripting(XSS) is a type of computer security vulnerability found in Web based applications. XSS enables attackers to inject client-side script into web application viewed by other users. It may be used by the attackers to bypass access controls such as the same-origin policy.
You can prevent XSS attacks by escaping your output using htmlspecialchars() or htmlentities(). Both PHP functions converts problematic characters into HTML entities causing the injected code to be output harmlessly and not rendered.
The htmlentities will encode ANY characters that has an HTML entity equivalent. The htmlspecialchars ONLY encode a small set of the most problematic characters. Its generally recommended to us htmlspecialchars because htmlentities can cause display problems with your text depending on characters are being outout.