Does PHPIDS try to prevent separated XSS injection? the below is a definition. If not any ideas on how to do so in the short term (in the medium term we'll switch to output encoding)

In several cases it is possible to use multiple input boxes that get displayed later either together or close enough that it is possible to inject the 1st half of the code in the first box with a trailing comment, then inject the end comment and end script in the second box. We call this Separated XSS Injection. For instance, you have input box 1, and input box 2. It is not possible
to get by the IDS in the software by injecting <script>alert(1);</script> into either of those boxes. When the content is later displayed it is displayed in a table consisting of: Input box 1, ID# (auto generated), Input box 2. By injecting <script>alert(1);// into input box 1, and //--></script> into input box 2 the content in the table then becomes: <script>alert(1);// </td><td>ID#</td><td> //--></script>. This script is now executable even though it was split and injected into different areas.

A general word to fragmented XSS - it's not really possible to do this since the number of permutations can easily cause a DoS - even with few different parameters. Either we had to create a half-baked solution or a system probe against DoS attacks - both not good. The IE8 XSS filter team ad the same dilemma btw and decided to not filter for fragmented XSS either.