I want to double check this and believe this will be helpful for others. If someone uses htmlspecialchars($var) in their code and are running a PHP version prior to 5.4, then they're open to utf-7 XSS. That's a given. Am I correct in assuming that the site would still be open to utf-7 XSS even if the header content character set is utf-8, since the server content character set of PHP defaults to iso-8859-1?
Edit: I was asked what I hope to profit out of this. I hope to make sure a project isn't vulnerable to utf-7, since some programmers don't seem inclined to set the third parameter of htmlspecialchars, which is the character set. If you understand the server character set I mentioned and how that fits into utf-7, then I could really use your help.
Assuming that you are talking about outputting user controlled values to the page then if the HTTP header is set to UTF-8 like so
Content-Type: text/html; charset=utf-8
then XSS cannot be achieved using UTF-7 encodings.