XSS am I doing it wrong?

[eluser]stuckinphp[/eluser]
I am working on an public facing interface that makes use of a database that is effectively untrusted due to multiple applications accessing it.

I would like a clean way of encoding all my output to UTF-8 with htmlentities to prevent XSS.

CI has nothing built in. The filter that is there is meant for input and does not actually filter all XSS attacks.

I would prefer a blanket fix but don't think there is one.

What I'm really after in this discussion is what is the best way to filter my output? And is the following the best / most concise solution? (encode function is a wrapper on htmlentities with utf8 and ent_compat)

<?php echo form_input("start_date[".encode($id)."]", encode($action->start_date,true), 'class="input input-date dateISO required" readonly=readonly title="must set a date."'); ?>

As you can see it is getting a bit out of hand. Encoding at controller level is just not a solution as CI doesn't use strict templating. Encoding at model level leaves other possible avenues open. Encoding at time of output seems like the smartest / safest / catch all cases way of doing things, I just want someone to confirm I'm not missing something obvious and nicer to look at / maintain

[eluser]gyo[/eluser]
You can use the Input&Security; class to filter any value, not only input.
If it doesn't "actually filter all XSS attacks", you can easily extend it including your improvements.

Don't forget to share if you do!

[eluser]stuckinphp[/eluser]
Hah yes you are right.

I've gone with an encode helper function I call everywhere in views and using the XSS filter on input.

I've also set the content type header charset to utf-8.

And my "actually filter all XSS attacks" was more of a dig at the blacklist filter. XSS filtering of this kind will never be 100% but it can be a good start, hoping encoding will curb the rest.