Code you want to be beyond suspicion, I assume, or at least ye want to detect it to recognize it better next time around,
so feed the script at hand into the online demo form and then launch the "malicious code removed module".
I tested it with various XSS attack scripts and it worked flawlessly. I got for an output:
Input example for you all:<img src="javascript:evil();" onload="evil();" />
http://htmlpurifier.org/demo.php?filter[AutoFormat.AutoParagraph]=0&filter[AutoFormat.DisplayLinkURI]=0&filter[AutoFormat.Linkify]=0&filter[AutoFormat.PurifierLinkify.DocURL]=%23%25s&filter[AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions]=td%0D%0Ath&filter[AutoFormat.RemoveEmpty.RemoveNbsp]=0&filter[AutoFormat.RemoveEmpty]=0&filter[AutoFormat.RemoveSpansWithoutAttributes]=0&filter[Null_CSS.AllowedProperties]=1&filter[Core.CollectErrors]=0&filter[Null_HTML.Allowed]=1&filter[Null_HTML.Doctype]=1&filter[HTML.TidyLevel]=medium&filter[URI.DisableExternalResources]=0&filter[Null_URI.Munge]=1&html=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22ISO-8859-1%22%3F%3E%3C!DOCTYPE+foo+[%3C!ELEMENT+foo+ANY%3E%3C!ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fdev%2Frandom%22%3E]%3E%3Cfoo%3E%26xee%3B%3C%2Ffoo%3E%0D%0A&submit=Submit&experimental=1
Enjoy my good forum friends, and learn while doing the exercise.
Some more code example material can be taken from here: http://attackvectors.com/code/XSS.txt
luntrus
P.S. So please keep your NS visors up, it detects XSS attempts, really it does...
Damian