Forget the regexes. use a html parsing module, like HTML::Parser or HTML::TokeParser and parse the user input. this is more sturdy and less magical than any regex, and it allows you to strip out any html, and not just certain attributes or tags.