Using BBCodes...Parse HTML or remove it altogether? (XSS/PHP)

I'm creating a开发者_JAVA技巧 mini-forum in PHP and I want to allow user posts with limited text formatting and embedding images, but I want to do it securely (XSS-wise) and I was wondering what's the most optimal approach of the ones below.

1) Strip all HTML tags from user input, and replace the WYSIWYG editor's controls with BBCode. Is strip_tags sufficient for this?

2) Allow HTML input through the WYSIWYG, but use a parser to convert the output from HTML to BBCode. Can anyone recommend a secure BBCode parser for this?

Any other ideas are more than welcome.

You don't need to parse or strip HTML to be secure. Just run everything through htmlspecialchars before you print it and you are safe.

In addition, this is orthogonal to using BBcode. You can have your editor generate BBcode for formatting, and htmlspecialchars will not mess with it in any way.