As the developer behind AmbitiousLemon's user/hosting request management backend, I've been fixing bugs and implementing features. A couple days ago, I came across a terrible discovery. I wrote the AL code years ago and was too inexperienced to carefully sanitize user input. I validated it when required -- making sure ID numbers in URLs were integers -- but didn't bother to strip HTML tags from form input. Yikes! This allowed people to include script tags and gather sensitive info from admins. (Needless to say, it's been fixed.)

The PHP code I use to strip/sanitize input has a couple functions:

// Converts string to plain text, no tags at all
$text = html2txt($dangerous_string);

// Strips out harmful tags, leaves markup tags (i.e. <strong></strong>, <a></a>, etc)
$text = stackoverflow_strip_tags($dangerous_string);