One way is to make it clear on your interface that you do not accept html tags, and be explicit about what you do allow in.
Then, filter out anything which does not match what you expect.
As an extreme filter out anything not a space, letter or number:
// rm all but Numbers, letters space and dash
$input = '0123?> Abc -_#';
$output = preg_replace('#[^0-9a-z- ]#', '', strtolower($input));
// 0123 abc -
Or look at using PHPs PHP: Filter - Manual
Despite Filtering still go on and escape the input based on where it is going next, maybe your database?
Or use PDO or mysqli's prepared statements (preferably)
Finally escape the data when you get it out of your database for the next environment it is going to go to, e.g. a webpage.
htmlentities and that family of escape mechanisms.
Filter Input, Escape Output (FIEO) - sleep a'nights.