I have seen a lot of conflicting answers about this. Many people love to quote that php functions alone will not protect you from xss.
What XSS exactly can make it through htmlspecialchars and what can make it through htmlentities?
I understand the difference between the functions but not the different levels of xss protection you are left with. Could anyone explain?