Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site
Examples of XSS that I can use to test my page input?
What are examples/types of client side xss attacks in php and how can I prevent them?
Plain text as HTML. When you forgot to escape plain text with htmlspecialchars. No prevention needed: just escape your variables when you use PHP in templates. Or use smarty/twig/etc.
HTML as HTML: when you allow users to create HTML(fckeditor/tinymce/plain HTML/etc). Use HTML sanitizer.
BB codes to HTML conversion. Do not use own regex-based parser, use only FSM-parsers.