A few PHP frameworks that I've seen have specific functions to remove XSS attacks. I believe that they just remove the <script> tag (I could be wrong). If I had previously used strip_tags on a string, was that enough to remove all XSS attacks or should I follow up with one of these framework XSS functions? A more general question is whether XSS attacks can exist without HTML tags.