gilmae mentioned this in a comment, and I give examples of why I’m stripping things from comments in comments, It Doesn’t Work. So here it is, The Problem With HTML.

First, some more basic problems. Aquarionics, being Neat, Cool, and generally Compliant, uses CSS for layout. It consists of various sections, set out in the code as <div> (DIVision) tags. This, for example, is in #content, which is slightly overlapping #header which contains the sweeping-curve logo. To the right is #cool containing Neatothings from the rest of the site. If I allowed all HTML in comments, someone could put in a few <div> tags and completely ruin the layout and readability of the site. Bad.

The same problem applies for Table-based designs with </td> tags. Those can really ruin someone’s day. So, HTML Bad.

PHP has a nice function called striptags(), which strips all HTML tags from a post except the ones you specify. “So don’t specify <script>” is the wise call, but it’s not that easy, because Javascript can be inside any normal tag. For example, I could have something in italics like this:

<em onMouseOver=“window.alert(‘Hah! You Lose!’)”>Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you</em>

Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you

Which isn’t exactly the end of the world, but it could be worse. I mean, it *could* be…

<em onMouseOver=“document.location=’http://www.goat.cx'”>Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you</em>

Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you

Or worse…

<em onLoad=“document.location=’http://www.goat.cx'”>Go on. Touch me. I dare you, I double-dare you. I double plus infinity dare you</em>

(No, I’m not putting that code in 🙂
And those codes will not get stripped out. The latest version of striptags() cuts out all “alert” type Javascript, but doesn’t recognise the more simple kind that changes an innocent variable. Like the document.location. So no HTML.