ugh PHP is such a shitpile
Using extract() on a superglobal (especially superglobals which contain untrusted user input, like $_POST or $_GET) is extremely dumb. If you're going to do it, at least set the extract_type value to EXTR_SKIP or something so it doesn't overwrite existing variables with the same name.
Like >>680 said, if you're going to settle with sanitized HTML as markup, your best bet is to run $com though htmlspecialchars() and then reconvert safe tags back to their original value. Still, it'll probably be in your best interest to use a lightweight markup language instead, like Textile or Markdown.