I believe only allowing characters in the range of a-z and A-Z would remove any possibility of an xss attack? I've read a lot about simply putting all output through htmlspecialchars() but it seems that there are some cases in which this is not enough to provide complete protection.
Also, if [a-zA-Z]+ is totally safe, is there any way to accept ' and - characters totally safely to avoid any possible chance of an xss attack? (Since these are the two main characters found in names aside from a-z)
There's 2 sides to this question.
First off: yes of course, if there's no way to 'break out of context' you're eliminating all chances of both XSS and SQL injection exploits. It's impossible to insert either JS or SQL if you can only use alphabetic characters.
Second: it's of course not a real protection, akin to never driving a car again as a failsafe method not to get in accidents. One day or another you are going to have input forms on your site which require other characters to be inserted, and you're going to be screwed. Just writing your code to be fundamentally safe, never trust client input, and properly escape all HTML generated by your code is in the end the only safe route.
What you're trying to do is solve an output problem on the input end, which just doesn't work. If you have arbitrary user input, you'll eventually have people trying to abuse it to do nasty things. Learn how to escape it properly on the output end, use a template system like Twig for output that handles most XSS problems inherently, and use a DAL/ORM like Doctrine or a good parametrized database access API like MySQLi or PDO to avoid SQL injection.