That every value everywhere has to be encoded appropriately. echo $some_variable_that_seems_innocent is evil nine times out of ten.
Use htmlspecialchars() in HTML/XML, prepared statements or at least addslashes() when building SQL queries, json_encode() when inserting values into scripts, rawurlencode() when appending URL components, escapeshellargs() when constructing shell commands, etc.
If you insert text in URL that's part of a script in XHTML document, you'll need to encode data three times.
