[eluser]nmweb[/eluser]
It's kind of lengthy but here you go. It removes all sorts of stuff that could indicate an XSS attack. It's not run automatically by default although it could be configured to do so somewhere in the config files.
Code:
* Remove Null Characters
*
* This prevents sandwiching null characters
* between ascii characters, like Javascript.
* Validate standard character entities
*
* Add a semicolon if missing. We do this to enable
* the conversion of entities to ASCII later.
* Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
* URL Decode
*
* Just in case stuff like this is submitted:
*
* <a href="http://www.google.com">Google</a>
*
* Note: Normally urldecode() would be easier but it removes plus signs
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
* Convert all tabs to spaces
*
* This prevents strings like this: javascript
* NOTE: we deal with spaces between characters later.
* NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
* so we use str_replace.
*
This is for starters, it goes on and on, see the input.php in the libraries folder to see what else you can't do.