I'm currently writing a PHP script for a guestbook in PHP where people can put their name, website and messages in a form, but I want to prevent someone from putting javascript:// in de url box to reduce the risk of XSS, I've tried to solve this with:
<?php filter_var($_POST['website'], FILTER_VALIDATE_URL) ?>
But I'm still able of putting javascript:// in de url box how could I prevent this?