I've found much better anti-XSS system like "Big umbrella".
1. check doubtful request (eg. "<script") in the top of application
2. if such requests exist, push an output filter by ob_start()
3. else no ob_start() are pushed (=performance safe)
4. check registered doubtful-requests exist in the html for outputting
5. if exist, die().
I'll write the code in (2)