If your allowing users to create blogs from subdomains then what code should you make sure is always stripped from posts? For example you would always want to remove "<?php" so that php couldn't be run. Is it safe to allow all javascript to be used aswel?
No definitely not safe to allow javascript. That would allow cross site scripting attacks. I would also strip out html such as frame and iframe tags. Basically any html that isn't solely used for presentation.
I'm using the following at the moment which seems to work okay: $newText = strip_tags($text, '<p><a><b><strong><i><u><img><strike><sub><sup><ol><ul><li><div><blockquote><object><param><embed><hr><br><table><tbody><tr><td><h1><h2><h3><h4><h5><span>'); PHP: