On 7/23/07, Paul Bennett <Paul.Bennett at wcc.govt.nz> wrote: > I've set up a generic function to check for the following: <, >, <, > and reject the data if they're found. If you're checking for entities, check for < and > (without semicolons as most browsers will encode those) and their numeric counterparts < and > (again, with and without semicolons). Depending on how you're stripping things, you'll probably want to look out for someone doing, &<lt;script&>gt;. The <> would get stripped but depending on your order or regex matching, it might leave valid tags behind. There's probably other ways. That's just what I've thought of for now.