Cross-site scripting filter for PHP4. PHP's strip_tags() is grossly insufficient for preventing user-supplied HTML text from being a security hazard. $message = strip_tags($message, '<a>'); is enough to allow users to post arbitrary JavaScript on, say, your blog's comment system.

I've always suspected this was the case, but never bothered to test. Now that I've tested it, I've disabled all HTML in BrainLog comments. (Not all HTML tags have scriptable attributes, but until I've tested this thoroughly in most browsers or seen a report of such a test, I'm holding all HTML suspect.) If you have a link to share, just include the URL as text and we'll copy-and-paste.