Strip_tags removes tags unless you specify ones to be allowed, but doesn't remove attributes.

So if you allowed <b> tags, someone could post <b onClick='alert("msg")'>bold</b> and have it accepted by the server..

Does anyone have a reliable script to remove attributes from html tags? The scripts on the php strip_tags() page don't seem to work for me ..