Preventing XSS attack using str_ireplace: Which strings to replace?

[Rohan Shenoy]

Hi guyz,

 

I am working on my website where I need to prevent cross site scripting attacks. I do not want to use htmlspecialchars(), htmlentities() or any strip_tags() because I need to be able to post images and other HTML formatting.

 

At present this is how I do it

$prohibitedstrings=array("<script","<script","%3Cscript","<link","<link","%3Clink");
$_GET=str_ireplace($prohibitedstrings,'',$_GET);
$_POST=str_ireplace($prohibitedstrings,'',$_POST);

 

Are there any more patterns I should add to the '$prohibitedstrings' array?

 

After observing these precautions are there any other loopholes through XSS can be exploited?

 

Thank you!

-Rohan