Is there a definitive anti-XSS library for PHP?
OWASP offers an encoding library, on which time has been spent to handle the various cases.
Obsolete: http://www.owasp.org/index.php/Category:OWASP_Encoding_Project
Now at http://code.google.com/p/reform/
and OWASP's antiXSS specific library is at: http://code.google.com/p/php-antixss/
HTMLPurifier is the undenied best option for cleansing HTML input, and htmlspecialchars should be applied to anything else.
But XSS vulnerabilities should not be cleaned out, because any such submissions are garbage anyway. Rather make your application bail and write a log entry. The best filter set to achieve XSS detection is in the mod_security core rules.
I'm using an inconspicious but quite thorough attribute detection here in new input(), see _xss method.