[BamBam0077]

when data comes from external sources like </form> filled in by anonymous users, there is a risk that it may contain malicious script indented to launch cross-site scripting (XSS) attacks. Therefore, you must escape this data using the PHP htmlspecialchars() function before displaying it in the browser, so that any </html> tag it contains becomes harmless.

For example, after escaping special characters the string <script>alert("XSS")</script> becomes &lt;script&gt;alert("XSS")&lt;/script&gt; which is not executed by the browser.
[/PHP]