How does the S2 code cleaner work? I assume the content is piped through some program and stripped of malicious code, but how do you know which code is malicious? And where is that program located? I searched the CVS repos and the manual but couldn't find it. I'm interested in doing something similar with PHP.