should i use php's htmentities() with pdo to filter input and output escapeing, to protect from xss attack ?
Use htmlentities (or preferably htmlspecialchars) when outputting user supplied content in an HTML context (i.e. when displaying it on your website). Don't HTML escape values that go into the database, since there's no XSS vulnerability there and you usually want to store the raw data in the database and escape it later as necessary.
You should use htmlentities or htmlspecialchars before saving the input to the database, cause a text is saved to a database only once [until there is any edit option on the front end] but is viewed multiple times, so you save your CPU :)