In most cases dynamic data in forms is handled by the forms API which does a pretty good job of keeping it clean. Since the variables in hook_menu() for example are picked up as a % sign and then translated into a callback array, they are “cleansed” as they are passed through the Drupal Core code.
'mymodule_abc_edit',
'page arguments' => array(1),
);
more code ...
return $items;
}
?>
On the other hand, there may be times when you you really need to pass dynamic data as a $_GET variable that is tacked onto an URL. In this case you need to pass the code through the urlencode() function.
When you are passing a user submitted URL in a hyperlink, rather than using check_plain(), the Drupal documentation says to use urlencode() instead.