Just as a quick hint for the answers, I decided to blog about which answer is right - and why.
1. The third answer is correct, apart from the fact that the regexp is lacking a delimiter. Were it a correct regexp (which we assume is only due to a typo), it would strip all NON-WORD characters from the string. Answers 1 and 2 do not protect against closing of HTML tags (answer 1, " and > are only prefixed with \, which doesn't matter for HTML renderers) and closing of HTML attributes (strip_tags does strip anything between <>, but NOT attributes like " foo="bar" which do not contain <>).
2. Answer 2 is correct. The /e modifier for preg_replace is fed a string from $_GET. The htmlentities call which supposedly escapes double quotes is executed after the string is imported from $_GET. A string like \");phpinfo(); in $_GET['name'] would therefor allow remote code execution. Answers 1 and 3 are not correct because 1 does not give a 1-request remote code execution, but only a local one, although exploiting that would be trivial. Answer c simply is not vulnerable because in this answer, htmlentities() is called outside the eval (concatenated with ..).
3. Answer 5 is correct, since any tag can contain e.g. a "style" attribute.
4. Answer 4 is correct, since the JavaScript "virtual machine" inside the browser has no control over the client-side file system. Keylogging via JS, a simple TCP port scanner and viable Session Riding attacks have all been successfully done with XSS already.
Have fun on the rest of the conference, and good luck in the draw!