Live and learn. I made a simple comment system for a website and it basically just removes every character that could be used in a script attack when the data is posted back to the page. Essentially it doesn’t let you use any HTML or other fancy stuff in the comment area so it’s a bit limited in what you can display for a comment, but at the same time it’s generally pretty secure (crosses fingers) and while comment spam happens at times whatever links are posted aren’t ever active.