I too was a little bit concerned about various forms of "HTML Abuse", although I haven't actually made it do anything horrible yet. Wankyu, have you had a look at Strip-o-gram?
PHP NeoBoard, the one I'm using at my commercial site, strips HTML tags from any messages. The problems is... Users want HTML tags. You just can't simply ignore their wishes with that "You don't want to mess up the whole page with your stupid tags" or "aren't you one of those malicious HTML hackers?" approach. To most users, It's more fun with HTML tags than without. Funnily enough, some of them even think making HTML tags work require special coding where stripping them needs more coding. As I mentioned in my previous reply to this thread, I'll give you an option for rendering the content of a message: BARE, HTML, DTML, ST. It's your call. BTW, I'd choose my ol' tagged_str.replace("<", "<").replace(">", ">") approach over integrating another product:-) Ciao, Wankyu Choi