Is there a module (or, better yet, sample code) that scrubs user-entered text to remove cross-site scripting attacks, while also allowing a small subset of HTML through? Contemplated application: a message board that allows people to use <b>, <a href="">, <i> and so on, but does not allow any javascript, vbscript, or other nasties.