You should also seriously ask these questions:

1. Do the users really need any markup at all?
2. If they do, does it have to be HTML?
3. If they do, can it be a very limited set of tags?

You should be able to clean up the tags with one of the tidy or lint modules. As for avoiding JavaScript injection, my advice would be to skip HTML altogether and let the users use something like BBCode instead. You will also want to run the user input through something like HTML::Entities to escape any attempts at markup.

Please be careful; it's very easy to screw up this kind of code with one little mistake.

The one time I actually needed to accept (and filter) HTML I used HTML::Scrubber and found it to be nice. However, all other times I simply use encode_entities($input, '<>&"'); from HTML::Entities (or an equivalent speedier sub).

I have also had very good experience with HTML::Scrubber. I use it entirely in "whitelist mode", so only the tags I want come through, and for those tags, only the attributes I want on them come through.

One small drawback is that it does not check for the HTML being well-formed, e.g. if you send it HTML snippets with missing closing tags, those will come through as-is.

Larry