What security measures should PHP developers consider when incorporating user input into HTML code?

When incorporating user input into HTML code, PHP developers should consider implementing proper input validation and sanitization to prevent cross-site scripting (XSS) attacks. This involves validating user input to ensure it meets expected criteria and sanitizing input to remove any potentially harmful content.

// Example of input validation and sanitization
$userInput = $_POST['user_input'];

// Validate input
if (!empty($userInput)) {
    // Sanitize input
    $sanitizedInput = htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
    
    // Use sanitized input in HTML code
    echo "<p>User input: $sanitizedInput</p>";
} else {
    echo "Invalid input";
}