@bex you just screwed anyone who sits behind a proxy server. IP alone isn’t enough, and your web server is too high a layer to be effective at spotting all the ways to spoof.
With a site like SO, it’s going to be far more difficult to build a sanitizer, because there will be legitimate content, etc, that has script blah tags. That in itself is a reason to create your own markup syntax (or borrow wiki’s) because that way it’s easier to verify and reject content without losing sight of the trees for the forest.
With normal punter content, I strip anything remotely looking like markup because it’s not in the spec. Also most users want to use angle brackets in their normal sense, so a dead simple catch-anything is just encode all angle brackets and ampersands and store it that way. . Spec changes and they want links, allow it via something like BBCode , my sanitizer doesn’t need to change, and I can validate/display only what I want to allow.
I still say that HTML/XML creators made one of the biggest WTF’s by reuse of ultra-common symbols as the basis for the one format to rule them all.
As a final point, it’s really hard when you have a small team trying to thwart a legion of bored 16 year old’s. In some ways it’s good, because DRM will never succeed because of them, in other ways it sucks when you’re trying to figure out what some little script kiddie did to deface your site.