htmlspecialchars().<script>, <iframe>, and inline events.<script>alert('XSS Attack!')</script><img src=x onerror='alert(1)'><a href='https://malicious.com'>Click here</a><iframe src='https://evil.com'></iframe><script>document.body.style.background='pink'</script>Result: All of these are blocked or encoded, so no malicious code is executed.