so, should we do an htmlentities() on it or something?
yep, htmlentities() should be done, instead of htmlspecialchars() ..
htmlentities doesn't handle multi-byte characters
why not the 8bit utf format?
htmlentities($str, ENT_COMPAT, 'UTF-8');
I am not sure if this works with PHP4 .. I think the support was broken until PHP5, but you can test it anyways.