You should either have the client retrieve posts and use textContent/innerText or at the very least HTML escape the posts in the db.
What you have right now isn’t sufficient xss protection, if I was to be honest it isn’t even protection. A <script> tag isn’t the only way to use xss. I would say one of the most common is <img src="" onerror="code">
Either way you should just rewrite how the posts are displayed or escape the html because trying to plug xss with string analysis won’t really work.
well so did I lol
unban me please, im white hat hacker, and i didn’t mean to cause any trouble, I’m just finding bugs in your code
and i found another flaw that allows me to unban myself but only for one request