Wow, that's a long string.
I should clarify my statement: PDO in general (not just xPDO, which is cooler for other reasons) uses parameterized queries and should be safe if used properly.
And I should say I haven't heard of anyone using MODX Revolution having problems with SQL or script injection. MODX Evolution, the earlier version, did have an SQL vulnerability at one point, but that was before they started using xPDO.
Generally speaking, whatever your language, you should use a framework that does parameterized queries as this has performance advantages in addition to being more secure.