I strip all tags, too. The problem is that my emails are getting sent as text, not HTML, so that an apostrophe, for example, that's been transformed into an entity doesn't get translated back into an apostrophe in the message.

I'm just starting to learn about how to make emails secure, so I'm not very clear about what kinds of malicious content might get sent through a form that could cause problems in an email. Would decoding the entities with htmlspecialchars_decode() make my emails vulnerable?