Hi!
I'm +1 for sanitizing all output depending on whether HTML is allowed or not. However I admit I haven't looked at the current code for ages. :(
You can not do any sanitizing on data inserted to MySQL - field values, SQL commands etc. ... And that's most of data we handle ;-).
I was speaking of the output of strings, not the "input". When we display the SQL commands to the user, we should be able to apply htmlspecialchars, right?! [In this case I think we're doing it allready, but how I understood Marc, he wanted to make sure that we always do that]
Regards, Garvin