I do a lot of $this->escape() in the zend view. Is this enough to prevent XSS?
There's HTMLPurifier outside the Zend Framework. I wonder how zend's $this->escape() compares to HTMLPurifier.
escape is an alias of htmlspecialchars. It allows you to output plain text, while HTMLPurifier allows you to output safe HTML.
You can't have XSS with plain text.
You have to use HTMLPurifier instead of strip_tags if you want to output safe HTML coming from an user input (rich text editor for example).