I am doing this. It seems to work but is it best way? Like could people still post XSS code or should this catch it all?
$pattern[0] = '/script/';
$pattern[1] = '/onmouseover/';
$pattern[2] = '/onerror/';
$pattern[3] = '/onload/';
$replacement[0] = 'scr<b></b>ipt';
$replacement[1] = 'onmouse<b></b>over';
$replacement[2] = 'on<b></b>error';
$replacement[2] = 'on<b></b>load';
To sanitize user-generated HTML content, I would rather rely on the services of an existing, actively maintained library like HTML Purifier:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.