public static function removeXSS($str) {
    $str = str_replace('{C}', '', $str);
    $str = preg_replace('~/\*[ ]+\*/~i', '', $str);
    $str = preg_replace('/\\\0{0,4}4[0-9a-f]/is', '', $str);
    $str = preg_replace('/\\\0{0,4}5[0-9a]/is', '', $str);
    $str = preg_replace('/\\\0{0,4}6[0-9a-f]/is', '', $str);
    $str = preg_replace('/\\\0{0,4}7[0-9a]/is', '', $str);
    $str = preg_replace('/?{0,8}[0-9a-f]{2};/is', '', $str);
    $str = preg_replace('/?{0,8}[0-9]{2,3};/is', '', $str);
    $str = preg_replace('/?{0,8}[0-9]{2,3};/is', '', $str);

    $str = htmlspecialchars($str);
    //$str = preg_replace('/
    //$str = preg_replace('/>/i', '>', $str);

    // 非成對標簽
    $lone_tags = array("img", "param", "br", "hr");
    foreach ($lone_tags as $key => $val)
    {
      $val = preg_quote($val);
      $str = preg_replace('/<' . $val . '(.*)(\/?)>/isU', '<' . $val . "\\1\\2>", $str);
      $str = self::transCase($str);
      $str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""","\"",$temp[0]);'), $str);
    }
    $str = preg_replace('/&/i', '&', $str);

    // 成對標簽
    $double_tags = array("table", "tr", "td", "font", "a", "object", "embed", "p", "strong", "em", "u", "ol", "ul", "li", "div", "tbody", "span", "blockquote", "pre", "b", "font");
    foreach ($double_tags as $key => $val)
    {
      $val = preg_quote($val);
      $str = preg_replace('/<' . $val . '(.*)>/isU', '<' . $val . "\\1>", $str);
      $str = self::transCase($str);
      $str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""","\"",$temp[0]);'), $str);
      $str = preg_replace('/<\/' . $val . '>/is', ' . $val . ">", $str);
    }
    // 清理js
    $tags = Array(
        'javascript',
        'vbscript',
        'expression',
        'applet',
        'meta',
        'xml',
        'behaviour',
        'blink',
        'link',
        'style',
        'script',
        'embed',
        'object',
        'iframe',
        'frame',
        'frameset',
        'ilayer',
        'layer',
        'bgsound',
        'title',
        'base',
        'font'
    );

    foreach ($tags as $tag)
    {
      $tag = preg_quote($tag);
      $str = preg_replace('/' . $tag . '\(.*\)/isU', '\\1', $str);
      $str = preg_replace('/' . $tag . '\s*:/isU', $tag . '\:', $str);
    }

    $str = preg_replace('/[\s]+on[\w]+[\s]*=/is', '', $str);

    Return $str;
  }