Hi. I have a site where people can post photos and also captions for the photos.
I'm saving the captions in simple text files for including with the HTML. Of course, I don't want someone to put "<script>" in a caption input form, but what else should I filter out?
Is it enough just to destroy all instances of "<"? I want to give people the freedom to include brackets and hyphens etc if possible.
Any ideas appreciated!

Well, if you parse the input caption string with htmlspecialchars() they can use whatever they want as they will be entity references after that and not dangerous any longer.

Iv been a admin on a text based game for about a year or two now and "/' has always been trouble, eg using the bbcode tag to hide javascript to take cookies and such, imo your best bet would be to google it and see what problems others have and think about how you could break it.