does it even has bbcode

Protocol whitelisting as an xss prevention measure is pretty solid.

I totally agree with trying to define strong rules and not using cleaning libraries as they greatly increase server load.

Added a whitelist. It handles everything you've thrown at it so far (with the exception of javas­cript:alert("xss"), which does nothing useful).

Also looks like I accidentally nuked the edit button. Fixing...