I am working on a project using fckeditor to allow content editing using fckeditor and am concerned about xss and other html based attacks.

I found this product HTML Purifier (http://htmlpurifier.org/) which seems like it will handle the filtering of input, but I'm hoping someone can confirm this product works and/or provide any advice about preventing xss attacks when you give users the ability to post html content.

strip_tags (http://uk2.php.net/manual/en/function.strip-tags.php) has an optional parameter for allowed tags. Therefore you can use strip tags on your user input allowing basic html tags e.g. <p>, <h1>, <em> etc.

There are two problems with this which are highlighted on the php.net page.

I've just been playing with this too:

http://htmlpurifier.org

Am I right in saying that it's completely unnecessary if all I want to do is to safeguard against XSS attacks in a comments form?

I'm not allowing any tags whatsoever, so strip_tags alone will suffice, right?
Or am I underestimating the power of hackers?!