Security Issues (input and output)

Just a quick one, could anyone explain why we should use xss_clean() ?

My understanding has always been that htmlspecialchars() or htmlentities() with ENT_QUOTES is enough?

Therefore isn't CI's escape_html() all that is needed to prevent XSS attacks on output?

Please refer to this link, you will know why htmlspechialchar and htmlentities are not foolproof.
http://php.net/manual/en/function.htmlen....php#99896

The basic idea is, it will allow the some scripts like- javascript:alert(document.cookie).
xss_clean() would handle it by replacing 
"javascript:" to "[removed]"
"document.cookie" to "[removed]"
and many more bad words like this, you can see this in system\core\Security.php.

Of course, nothing is a full solution in security field but it is one of the best tool present.