if carrying data around in a cookie, or from otherwise un-trusty-sources, there’s no magic bullet that I’m aware of, but the most simple process I use looks like this:
$html = stripslashes($html);
$html = mb_convert_encoding($html, 'UTF-8', 'UTF-8');
$html = htmlentities($html, ENT_QUOTES, 'UTF-8');
Yes, there are ways around this… But it’s a simple start, and handy if you don’t need a completely secure solution (brochure sites, etc).