'Prevent HTML to be displayed from $_GET method

I'm currently working on a user management system. I have the register and sign-in page among other sites, that all use the $_GET function. After experimenting around a bit I noticed that you can print HTML code from the GET parameters when you exactly know what you are doing. There is probably a way to exploit this by using the onerror in an img tag e.g.
How can I prevent this from happening?

The URL: users.php?s=login&mail=">%20<img%20src=%27../images/notification_bell.png%27%20width=%2725px%27>
What it displays: And my code:

print ' <form action="' .$url. '" method="post">
                <input type="hidden" name="a" value="login"/>
    
                <b><label for="mail">E-Mail:</label></b>
                <input type="email" id="mail" name="mail" maxlength="50" value="' .$mail. '" required><br><br>

How can I prevent this from happening?

Solution 1:^[1]

use htmlspecialchars to convert user-defined characters into web-safe code. https://www.php.net/htmlspecialchars

also, maybe you could use filter_var to validate the email and simply unset it if it's invalid. https://www.php.net/filter_var

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Kae Verens

'Prevent HTML to be displayed from $_GET method

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]