What is the recommended (and hopefully simple) way to screen user input to prevent cross-site scripting/code injection?
I don't think there's one answer, since it depends on what your application is trying to do.
A general solution is to filter all user inputs through either [man]htmlentities/man or [man]strip_tags/man when outputting it to the browser.
One way is to use [man]htmlspecialchars/man or [man]htmlentities/man on any text printed to screen that has its origin from the user.
