Cross Site Scripting

Sending unvalidated data to a web browser can result in the browser executing malicious code.

Cross site scripting (XSS) vulnerabilities occur when:

1. Data enters a web application through an untrusted source. In the case of Persistent (also known as Stored) XSS, the untrusted source is typically a database or other back-end datastore, while in the case of Reflected XSS it is typically a web request.

2. The data is included in dynamic content that is sent to a web user without being validated.

Recommendations:
When malicious data store in the database then we use htmlentities() or htmlspecialchars()
eg:-

$getSql = "select coursetypeId,coursetypeName from coursetype where deleteFlag=0 Order By coursetypeOrder";
     $getSql_sth = $dbh -> prepare($getSql);
     $getSql_sth -> execute();
     while ($results = $getSql_sth -> fetch(PDO::FETCH_ASSOC, PDO::FETCH_ORI_NEXT)) {
      echo htmlentities($results['coursetypeId']);
     }