I just have a question about XSS filters, although it's not about escaping them. I've found quite many sites with forms that allow HTML tags with a length of 3 characters to pass through the filter but remove all other ones. For example, the <u>, <b> and <i> tags get through but <br>, <script>, <iframe> and <img> do not.
What PHP function are the sites using, or is it just some kind of filter that they've written themselves? It could of course be strip_tags(), but then they must've set the filter argument to accept all of the short tags (and I can't see why anyone would do that in for example a registration form or search box...)
As I said, I've seen this on quite many sites so it's not just a single system that uses this solution... Any thoughts or ideas will be much appreciated B)