Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:'htmlall'
modifier to convert all sensitive characters to HTML entities (I use own |e
modifier which is alias to the above).
My approach to input/output security is:
- store user input not modified (no HTML escaping on input, only DB-aware escaping done via PDO prepared statements)
- escape on output, depending on what output format you use (e.g. HTML and JSON need different escaping rules)