If filter input and escape output is the correct approach then using htmlspecialchars like below is the correct way, yes?
$body = "Body text";
$body = htmlspecialchars($body, ENT_QUOTES, 'UTF-8');
return $body;
But say for instance the body text has a html link within it then the will be converted to this:
<a href="http://www.appmobi.com/?q=node/66">AppMobi App School</a>
Which means that instead of displaying a clickable link the html page displays the code like so:
<a href="http://www.appmobi.com/?q=node/66">AppMobi App School</a>