Currently I got spam submissions to my directory, and the description they put was like: What's the php script and how to add the script to the server side to disable the html code in the description box?
First of all add some type of "human check". Than you can use strip_tags() function or just check posted value for allowed characters with eregi() or preg_match()
I use a function to strip tags etc. and a captcha + I don't reverse the tags (I leave them as xhtml on the output). Where I do want html to be interpreted as HTML, I use bbcodes to make sure that only what has a function to parse and generate will be converted.
Possibly use an image verification script alongside of your form. Those are those little images with random text on them that you have to repeat accurately to submit a form. There are several online but might be difficult to impliment in a pre-built script.
No, I have image verification in the submission form, and looks like this is a virus. Does any other directory owners have the same problem?