[eluser]Buso[/eluser]
I think XSS is for javascript removal
If someone injects </div> in your site, or a giant link to a spam site, it doesn't count as XSS, but it will still break your site.
So you should always htmlentities() any user generated content, or strip_tags().