Well it does, but just not in the way I was expecting. It removes all html that it considers dangerous. However it will let some html elements through.

When I ran my simple login script using a web vulnerability scanner, it returned cross site scripting (XSS) vulnerabilities that I was not expecting.

If you are not accepting any html in your input you might be better off using one of php’s function’s htmlspecialchars() or strip_tags()