What are the best practices for avoiding xss attacks in a PHP site

Question

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derive

Answer 1

• Don't trust user input
• Escape all free-text output
• Don't use magic_quotes; see if there's a DBMS-specfic variant, or use PDO
• Consider using HTTP-only cookies where possible to avoid any malicious script being able to hijack a session