This question already has an answer here:
what is the meaning of untrusted data? is it all data that generate dynamically? or just data from user input?
</div>
Given the already posted answers and comments to this and similar questions here, the answer to your question "what is untrusted data" is simple:
Everything coming from the client, regardless whether via POST, GET, PUT, HEAD, Cookie or whatever else should be regarded as untrusted.
As a matter of fact, all data coming from "the client" must not come from there and can always be crafted for abusing any vulnerability of your server software, whether you are using it or not.
Period.
You need to use the function like htmlspecialchars() to protect from XSS and output something to the browser that came from the user input.
When you echo your input use it like posted bellow
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
Google Code University also has some very educational videos on Web Security.
Untrustworthy data is any data that can potentially harm your web application. Being automatically generated doesn't automatically make data dangerous.
Generally speaking, if the data comes from somewhere or something you don't trust, then it's untrustworthy.
Usually that means any data that comes from the user land.
The way you should secure data is related to what that data will be used for. For instance, if you wish to store it in a database, then you must ensure it is properly escaped to prevent SQL injection. If the data will be used to exec shell commands, then escapeshellarg and escapeshellcmd is in order.
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
It can happen If your web app displays unescaped data introduced by users. A simple example would be a blog site which doesn't escape comments from users. Removing HTML entities (such as Script tags, Iframes, etc...) should be enough to prevent this kind of attack.