Today I came across a question: "what is most important when trying to prevent a cross-site scripting attack?"
The answer is most intuitive. The most important rule to prevent cross-site scripting is "never trust user input". Not far behind comes "escape output".
These are general server-side programming rules, they do not apply only to specific language, like PHP.