Regex as first line of defense against XSS

[Azzimi]

I had a regex as the first line of defense against XSS.\[code\]public static function standard_text($str){ // pL matches letters // pN matches numbers // pZ matches whitespace // pPc matches underscores // pPd matches dashes // pPo matches normal puncuation return (bool) preg_match('/^[\pL\pN\pZ\p{Pc}\p{Pd}\p{Po}]++$/uD', (string) $str);}\[/code\]It is actually from Kohana 2.3.This runs on public entered text (no HTML ever), and denies the input if it fails this test. The text is always displayed with \[code\]htmlspecialchars()\[/code\] (or more specifically, Kohana's flavour, it adds the char set amongst other things). I also put a \[code\]strip_tags()\[/code\] on output.The client had a problem when he wanted to enter some text with parenthesis. I thought about modifying or extending the helper, but I also had a secondary thought - if I allow double quotes, is there really any reason why I need to validate at all?Can I just rely on the escaping on output?