The best way to sanitize any input from your user is to use the HTML Purifier library. HTML Purifier will remove any XSS from your code, produce valid HTML, and generally make you sleep just a bit safer at night. It doesn’t completely sanitize user input, and you still need to be careful with it before using it anywhere (such as an SQL statement), but it will remove all XSS attacks against your website.
Here’s a simple example of how to use it:
$purifier = new HTMLPurifier(); $purifier->purify($user_string);