I discovered that in the message box of the comment/guestbook system object that an external user can use html to make a link if they so wish. While that in itself is not really a problem, it worries me (a little) that taking this to the next level, that malicious code may be possibly be invoked in such a box. I don't say this to raise alarm, but I have had this happen in the past. I had a site where there was a message box for user comment, and the site became infected because someone put in code. I had to get professionals at great expense to clean it.

I'd really like to see the comment object have real format editing capability such as the one I am writing this in. I hope it's on the cards.

So the question is: Do websites that use the commenting/guestbook object parse input before posting to strip it of the possibility of executing code, but keep minimal formatting code?