Can someone please advice me for hoe can i prevent xss attacks ?

I briefly answered your question here by saying:

To prevent cross-site scripting attacks, you similarly want to make sure that all text derived from user-generated input is HTML escaped. If using PHP, you can use the htmlspecialchars() function.

It really is that simple, if you're using PHP. I do see you tagged this code Javascript, so here's a quick JS function I found on this page of SO that you can use:

function escape(s) {
    let lookup = {
        '&': "&",
        '"': """,
        '\'': "'",
        '<': "&lt;",
        '>': "&gt;"
    };
    return s.replace( /[&"'<>]/g, c => lookup[c] );
}
console.log(escape("<b>This is 'some' text.</b>"));

As you can see, all it takes to escape HTML code is to replace &, ", ', < and >. Ampersand, double quote, single quote, less than, and greater than are kinda like reserved characters in HTML. Once you escape those, no one can inject user-generated content to execute HTML or JS on your page that you don't want it to, which is what an XSS attack is.

In whatever code language is running on the server, use a well known database library that is well documented and features XSS aka sql injection prevention.

Minimize the use of inline JavaScript within your HTML code. Instead, use external JavaScript files and scripts to separate content from functionality.Ensure that sensitive cookies have the HttpOnly and Secure flags set.