My preference is to add the PEAR library to the “vendors” folder and to modify the app_controller to have the PEAR path included through it.

if( file_exists(VENDORS.’Pear’)){
ini_set(‘include_path’, ini_get(‘include_path’) . PATH_SEPARATOR . PEAR);
}

Above solution suggested at CakePHP’s trac

Depending on the library that you want to get included in the programs, add the library to the respective view

App::import(‘vendor’, ‘XML_Feed_Parser’, array(‘file’ => ‘../vendors/pear/XML/Feed/Parser.php’));

In PHP, two functions are mainly used to circumvent XSS attacks.
i) htmlspecialchars
ii) htmlentities

i) htmlspecialchars($string, [$quote_option]) takes care of &, “, ‘, <, > characters by converting them into equivalent character codes. If quote option is set to ENT_QUOTES it converts ‘ – single quotes to ' and if it is set to ENT_NOQUOTES it does not convert ” – double quotes to "

ii) htmlentities() is used to escape all html characters from the text and not just the five characters mentioned above.

Note: If you do not want any html characters in the text, use strip_tags($text) instead.

Also check PEAR’s HTML_Safe library

In wikipedia, you can learn more about XSS and its classification with examples.