Cut out the tags you want to allow, leaving markers to tell where they're supposed to be and storing the tags in an array. <p> might become <?M23?> temporarily (23 being the array subscript). Perform strict validation on each stored tag, remove all remaining tags from the page, reinsert the stored tags. Presto, you're safe from all major abuses. You still have to worry about people linking to or including images from porn or other unallowed URLs, but given that yours is a user-based system, that shouldn't be a significant problem assuming your login system is uncrackable. If someone does something naughty, just ban them and keep the rest of the month's payment.