There are certainly ways of filtering out all possibly evil HTML and Javascript, but they may be too restrictive for your application. For instance, you could launder CGI data through /([a-zA-Z0-9_&;\s]*)/, which would disallow all HTML except for entities, but this would be much too restrictive for a site like PerlMonks where we need to be able to post code.

Constructing a character class that filters out bad stuff is trivial. On the other hand, constructing a hack-proof set of regexen that permit specific combinations of characters while disallowing others (as in allow <a> but disallow <script> while allowing '<' and '>' if inside a code block) is far from easy.

Everything's implementation of the latter is something you might want to take a look at.

   MeowChow                                   
               s aamecha.s a..a\u$&owag.print