Originally Posted by SilentSound

Take care - if your server is configured in that way, <?php ?> tags will be parsed with HTML files (depends on how you use the files after upload). Strip all code, be it PHP, ASP, etc. And strip ALL javascript. ALL of it.

That should be safe - I would use one more precaution though: don't allow anything referencing outer domains (eg. hotlinking an image for example from domain2.com, where the HTML file is uploaded to domain1.com) - this is a prime candidate for cookie stuffing.

Just my

take care !!!