The idea behind replacing the opening "<" is because you only need to find "<script" or "<iframe" in the page source. The attributes and values are immaterial as they will just become text effectively.
You may also want to "break" the closing elements as well to avoid any possible disruption to the pages by having stray closing tags around.

Sorry maybe i am not explaining what i am trying to do in the right way, so i will try to explain it better.

I do not believe that i have to worry about any codes other than the ones i have listed below.

HTML Code:

<b><i><a><hr><img><center><font><table><tr><td><p><div><object><param><embed><bgsound>

Because i have used the strip_tags function to strip out all codes other than the ones i have allowed.

PHP Code:

<?php
// below is the variable that all the profile information is stored in...
$editprofile;
// below is the strip_tags function stripping out all codes eccept for the ones i have listed...
$editprofile = strip_tags($editprofile, "<b><i><a><hr><img><center><font><table><tr><td><p><div><object><param><embed><bgsound>");
?>

So the above code should strip out all the bad tags that i do not want people to use.
-------------------------------------------

What i am trying to figure out is how do i stop people from putting bad tags like below into their profile.

HTML Code:

<IMG SRC="javascript:alert('XSS');">

<BGSOUND SRC="javascript:alert('XSS');">

<BR SIZE="&{alert('XSS')}">

<TABLE><TD BACKGROUND="javascript:alert('XSS')">

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

Now with the above codes that i do allow in profiles that has the word javascript i can replace the word javascript with the ascii characters for the word javascript, and what do i do about tags like below that i allow that does not have the word javascript in them?

HTML Code:

<IMG SRC="jav&#x09;ascript:alert('XSS');">

<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">

<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>

<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>

Now lets say that one person gives a valid img code and another person gives a img code with xss in it, if i was to replace "<" with &lt/; all codes would be seen on their profile no matter if they were valid or not.

What i am trying to figure out is how do i filter out bad xss from between good tags that i allow people to use? i am having a hard time understanding this because i have never seen half of the characters in these xss attacks.

Sorry if i am being bothersome but this is the most help that i have gotten on this problem and i really need to understand how this works. Thanks!

Initially filter what you are aware of and add to the filters as you learn more of them.
It's really just a matter of due diligence, if you are concerned about your sites integrity you will do whatever it takes.

All it needs is a database of patterns to match agaainst and a corresponding replacement.
An XML structure is perfectly adequate unless your system would be handling several hundred queries a minute.

A very quick idea of a XML pattern match file would be.

Code:

<filters>
	<patterns>
		<match>
			<![CDATA["<script"]]>
		</match>
		<replace>
			<![CDATA["&lt;script"]]>
		</replace>
		<match>
			<![CDATA["<iframe"]]>
		</match>
		<replace>
			<![CDATA["&lt;iframe"]]>
		</replace>
	</patterns>
</filters>

IF there are scripts your members are allowed to use (analytics etc), they could be added to a list of allowed scripts and give the user a BBCode style tag to insert which then is replaced as the page is served out.

Thanks for trying to help, i just do not understand what you mean.