Hello March023,
I think that most reviewers just test against basic XSS protection. Meaning that they only complain when it seems that you have no XSS protection in place, at all.
$str = strip_tags($input);
is the bare minimum protection that you can have in PHP.
For a more complete XSS protection, replace quotes with html entities in strings and find a way to prevent javascript: and vbscript: protocols.
Cheers!