Before displaying, modify user input to defang scripts: & " ']]> '&040;', ')' => '&041;'));]]> $ok = strip_tags($bad); $iso_8859_1 = utf8_decode($bad);