Consider below url entered by user:
What are ways to stop this type of cross-site scripting?
htmlentities or htmlspecialchars
<?php echo htmlentities($_GET['id']); ?>
Another thing, make sure you validate ALL input, especially anything that is accessible via a URL
<?php $validateId = (int)$_GET['id'];
echo $validateId; ?>
But how can I prevent execution of any JS function from url?
See my prior post, use htmlentities when you output anything you receive from a URL variable or a posted form.