What Are the Common Defenses Against Xss

Should I use htmlentities() on all output? (preventing XSS attacks)

There are two benefits to using htmlentities():

XSS prevention
Converting special characters to proper HTML entities, for example it converts the copyright character to ©. In HTML content you should use the appropriate HTML entity instead of inserting a raw special character.

For XSS prevention, you could use htmlspecialchars() instead, but it will only convert some basic characters to HTML entities, namely quotes, ampersand and the less than/greater than characters.

In answer to your question, you should use htmlentities() when outputting any content that could contain user input or special characters.

Avoid XSS with an HTML tag like pre

No, there is no such tag in HTML that would prevent XSS attacks, and it's impossible to make one. Let's assume that there was such a tag, say, <safe>. The attacker would only need to close it: </safe><script> malicious code </script><safe>.

The way to stop XSS in this specific case would be to escape special characters to their URL encoding counterparts, so that http://quir.li/player.html?media=<script>alert('test')</script> becomes http://quir.li/player.html?media=%3Cscript%3Ealert('test')%3C%2Fscript%3E.

How to filter XSS out but still allow basic formatting tags

Using HTMLPurifier:

$config = HTMLPurifier_Config::createDefault();

// the tags and attributes you want to allow
$config->set('HTML.Allowed', 'br,img[src],p,b');

$purifier = new HTMLPurifier($config);

print $purifier->purify($inputHtml);

Another possible solution is to load your HTML into DomDocument, remove unwanted elements or attributes and get the updated HTML

Which symbols should not be allowed in forms?

ALL symbols should be allowed. You need to make sure that you are escaping them properly.

Is sql injection and cross-site scripting still a thing?

I'll tell a story.

My mother used to volunteer with a group to go to the local college campus to help students register to vote (in the US, people can vote at age 18, but they aren't registered by default, they have to fill out a form). She and her group would set up a table in the quad with a supply of forms and guide the students to fill it out and mail it in.

After years of doing this, one of the other women in the group said, "We've been coming onto campus to help these kids register for TEN YEARS! When are they going to be able to do it on their own?"

My mom and the others looked at her and said slowly, "There is a new set of students turning 18 years old every year."

The same thing is true for defense against SQL injection and Cross-Site Scripting. There are new programmers entering the profession every year.

In fact, studies show that the number of software developers doubles every five years, which means at any given time, 50% of software developers are what I would consider "junior developers" with less than five years of experience. By the time those people have become senior developers, there's again just as many younger developers who have entered the profession after them.

All of them need to be trained to understand SQL injection and Cross-Site Scripting defense before they should be allowed to put their code on a live server.

One at a time.

Every year.

SQL injection and Cross-Site scripting will continue to be a thing as long as there are software developers.

I also can reference the SQLi Hall-of-Shame, a web page that references news stories about data breaches perpetrated by exploiting SQL injection vulnerabilities. The seem to be multiple such stories every month, and these are just the break-ins that made the news. It's undoubtedly the tip of the iceberg.

How to prevent html or javascript injection with server-side php

I use HTML Purifier to strip out the bits I don't want and leave in the bits I do. The default rules are pretty good, but it offers enormous flexibility if you need it.