Pádraic Brady: A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1)
Always set the third parameter to htmlspecialchars(), set it correctly, and make sure your document is never served with a mismatched or invalid character encoding! Don’t expect some theoretically perfect world to magically appear – browsers are filthily efficient at doing weird things you don’t expect.
With a nod to the anniversary of Douglas Adams' death on Sunday, Pádraic Brady has written possibly the definitive guide to the htmlspecialchars() function.
Read it. Then read it again.