In general, I prefer the philosophy of escaping on display: leave everything literal until right before it needs to be escaped/encoded.
This gives you more flexibility with usage (for example, if you use
htmlspecialchars and then store that result in the DB, you won’t be able to use that bit of content in plain-text environments like text email or JSON).
It also tends to put the escape/encode function closer to the spot where the output is used, which can help you keep track of what is “safe” and what isn’t.
You should also consider using some sort of naming convention for variables that hold content: for example, when I have content that might include HTML, I use a
html suffix on the variable name. Content that should not be html must be escaped before being combined with content that does. Basically, it helps you keep track of things.
$article = 'This is some text that talks about <html>.'; $articleHTML = '<article>'.htmlspecialchars( $article ).'</article>';