I'm just thinking it'd be helpful to strip inline javascript events as well as the <script> tags and their content.

Ext misses any function to sanitize html code :-(

There is a google-caja project (which includes a javascript sanitizer: http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer), which would be valuable to mention in the doc (in stripScripts) and mention that stripScript isn't secure at all.

(google-caja works by whitelisting secure tags, attributes and css. If you like, you can define your own whitelists: http://code.google.com/p/google-caja/wiki/CajaWhitelists).


The best solution is to implement secure sanitize_html() in ext :-)