Anywhere where you send back unfiltered input is a XSS vulnerability.
How to fix them see the link to oawsp above for a comprehensive answer.
In essence: make sure there is no html in the input that goes back to the user - yes that's all it takes to have a XSS vulnerability.
Simply changing < > " ' and & to their respective htmlentities is enough in the cases you've shown so far.
htmlencode() is ok too - but it's not a generic solution in all possible cases - you should escape those things that in the context of where you output them can hurt you.