can I use htmlpurifier like this

Question

I am not sure how I should use htmlPurifier, I don't want to slow the system down. And I want to strip everything out so my site cant get infected by XSS-injects when I later echo out the data that the user has posted. Also, I'm using bind_param() later to protect against SQL injections.

So should I use htmlPurifier like this:

$name = $_POST['name'];
$comment = $_POST['comment'];

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_name = $purifier->purify($name);
$clean_comment = $purifier->purify($comment);

Or should I use it like this:

$dirty_html = array('name' => $_POST['name'], 'comment' => $_POST['comment']);  

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);

Would both work as fast? And the main goal is to sanitize from XSS, it should only be left out as pure text so I later can echo out the data.

Answer 1

Only the first code snippet works. Even if the second snippet worked, it wouldn't have any performance difference.