3. In all cases, RegExp/escape any HTML from users so the code would never render in a browser

...unless you want some HTML to render, as you might in e.g. a user "biography" field. In that case, you'll probably want to do some trickery with an HTML parser module to allow a few tags and attributes and strip out the rest.

Once again, though, note the use of "allow". Decide what's permissible and take out everything else. Better safe than sorry.

=cut
--Brent Dax
There is no sig.