This question already has an answer here:
I know they are both use for prevent XSS attack. But when i use htmlspecialchars , it seems just ok. <script> and <?php ?> would be displayed on the screen. It means they are not functioning, right? So, my question is , is htmlspecialchars enough for preventing XSS. If so, what is the reason using strip_tag or a white list of tag?
</div>
htmlspecialchars is safe enough. It is very common as it displays the same as the user typed, but makes it harmless. strip_tags takes all the tags away, is usefull for alot of other things.