So a function that removes <script> tags from your user input? What about the onclick, onsubmit etc of elements? If you take this approach, you’ll most likely find so many problems. Then, what happens in a forum like this? I want to display my code for others to see, not attack the site.

In general I find it’s better to explicitly replace all string inputs as I put them into the database. Using the following function (it sits inside the parse class)

Then, on longer strings, expected to be multi-line, as they are displayed I’ll run them through a forum tag style function which pretty much puts in <br />, <b> and so on. 99% of input string comes from the database or a similar source. Those exceptions are generally when a script redirects and wants to display a ‘You must be logged in.’ message, for example. These are pretty static so a simple isset($_GET[‘out’]) is done to display the error (avoiding passing strings across scripts through input like this).

I’ve also noticed the use of $_REQUEST, isn’t this bad programming practice in PHP? You’re not being entirely clear on where your input is coming from and in particular, appending ?text=asdf to the url bar is a helluva lot easier than adding it to the POST string (I’m sure there are other, better, reasons that my brain just can’t even comprehend at 11am in the morning…).