If you don't know what an XSS (Cross-Site Scripting) flaw is, I recommend that you do a quick search on the Internet. The most common XSS error is using GET or POST values in templates.
Even though PrestaShop has been using the PDO library since version 1.5, it still does not call some important methods, such as bindParam() or bindValue(), which are designed to protect SQL queries. So we have to protect them manually.
Of your PHP files that are in your modules, you should only have class definitions and no dots - except for Ajax scripts (and again, you should only go through front or admin controllers). It is still recommended to prohibit access to all subdirectories containing PHP files or templates.
Directory listing functionality is enabled by default on many web servers. And, depending on your host, it will be more or less easy to deactivate it.