XSS can occur if you let users enter text, and display that back on a web page without properly sanitizing it (by making sure that it does not contain unwanted HTML or JavaScript fragments). So
you should consider how to ensure that user-entered data is validated, and in particular, cleaned of any HTML/JavaScript it may contain.
The
Security FAQ has some links on web app security in general, and XSS in particular. There's also an article on SQL injection, which is a similar kind of attack on databases.