To strip the languages you can use code similar to this:
$string = str_replace("<","<",$string);
$string = str_replace(">",">",$string);
This will replace "<", and ">" so they dont get interpreted as code.
That won't stop everything though, they can encode it and do a number of other things. I would google "xss", you'll find good info there.