Whenever you’re printing user-input to a page – even something as simple as re-populating an input from a previous page via cookie – someone’s bound to try to exploit it.
Here’s a simple function to help sanitize user input:
$html = stripslashes($html);
$html = mb_convert_encoding($html, 'UTF-8', 'UTF-8');
$html = htmlentities($html, ENT_QUOTES, 'UTF-8');