How to preven Cross Site Scripting (XSS) attacks?
If we want HTML mostly disabled, but still want to allow simple formatting, we can allow just a few selected HTML tags (without attributes) such as strong or em. Alternatively, we can allow a popular set of tags called "BBCode" or "BB Tags". This can be a perfect way to allow some formatting customization while disallowing anything dangerous. We can implement BBCode using pre-existing packages such as HTML_BBCode or write our own.