Injection is an attack that involves breaking out of a data context and switching into a code context through the use of special characters that are significant in the interpreter being used. - OWASP

Many PHP applications will HTML encode any untrusted data using htmlentities() irrespective of context. This is a problem as htmlentities does not mitigate certain XSS injections. For example, the output of any data that will be used as a URL:

echo '<a href="', htmlentities( 'javascript:alert("xss");' ), '">XSS</a>';

In this instance htmlentities is not sufficient protection, the above outputs

<a href="javascript:alert(&quot;xss&quot;);">XSS</a>

To prevent this injection URLs should be validated on input, and htmlentites() encoded on output.

$url = 'http://hostname/path?arg=value';

$parsedUrl = parse_url( $url );

if( $parsedUrl['scheme'] != 'http' && $parsedUrl['scheme'] != 'https' ) {
    // reject URL
} else {
    $url = mysqli_real_escape_string( $mysqli, $url );
    $sql = "INSERT INTO table (url) VALUES ('$url')";
    // insert query
}

...

echo '<a href="', htmlentities( $url ), '">XSS</a>', "\n";

The URL now stored in the database should still be output using htmlentities() to encode quote marks that could inject further code, such as in this example:

http://www.test.com/" onClick="javascript:alert(\'xss\');"

For further information about XSS, the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet offers a list of XSS Prevention Rules, while RSnake’s XSS (Cross Site Scripting) Cheat Sheet is the definitive list of XSS injection test strings.