How is your advice regarding HTML safety poor? Let me count the ways:
- It's best to clean up your data both before and after. Before storing the data, you need to clean it up enough to make it safe to store. (In many cases, this can be skipped in favor of using parametrized queries (placeholders).)
Cleanup for display needs to be done immediately prior to display because, if you only clean up the HTML before storing it and a new exploit is discovered next week, the data already in your database may still contain that exploit. Doing this cleanup on display is the only way to ensure that all current cleanup will be performed on older data. (Pre-cleaning before storage isn't a bad thing, but it is not sufficient by itself.)
- < and > are major issues even if you don't use javascript. <iframe src='http://rogue.com/path/to/exploit.html'></iframe>, for example.
- Your set of suggested regexes take a blacklisting approach ("block these three specific characters") which, by its very nature, is susceptible to letting potential dangers slip through. It's much better to go with whitelisting ("this set of characters are known (or at least believed) to be safe; block everything else") in the general case or to use a proper HTML escaping function in the specific case of handling HTML output.