I use images as ship names a little, but those images are small, like
, or aliance icon.
Not long time ago it was possible to mess a lot with ship name, now its limited, or maybe removed. Still i can do what i show in images below. However ship name is quite long, so probably its not a threat. With private messages it might be possible to do some mess through.
Ill reported some time ago to do something with script tags, it was fixed, but there is still some possibility to include some javascript
If someone is still not protected from windows jpg bug, it is possible to run some application on his pc, but thats whole different story
There is clean and efficient way to allow only selected tags
ie:
echo strip_tags('<p style="color:red;"><b>Something</b><script></script></p>', '<p><b>');
will output
<p style="color:red;"><b>Something</b></p>
However it still allow adding javascript in other way...
I can also do something really ugly
(ship above Test made that)