Whenever you’re printing user-input to a page – even something as simple as re-populating an input from a previous page via cookie – someone’s bound to try to exploit it.

Here’s a simple function to help sanitize user input:

function sanitize($html){
	if(get_magic_quotes_gpc()){
		$html = stripslashes($html);
	}
	$html = mb_convert_encoding($html, 'UTF-8', 'UTF-8');
	$html = htmlentities($html, ENT_QUOTES, 'UTF-8');
	return $html;
}