White-List acceptable tags instead of back-list

[guest]

Is there a white-list of acceptable HTML tags? – If not this means that the Xinha essentially accepts all tags but rejects those that are inappropriate for example the “script” tag. This leads to no protection against new tags that are released and exploited.

[gogo]

It makes ZERO sense to have a whitelist or blacklist in Xinha itself. The user can submit whatever HTML they want to your server as a form post, they don't need Xinha to do that, putting such "protection" in Xinha would be entirely pointless and trivially cicumventable.

You MUST MUST MUST MUST MUST MUST MUST treat all data sent by untrusted users (and even trusted ones) as suspect, no matter where it comes from, Xinha or "normal" fields, or cookies, or... you MUST santise data you are given!

Xinha can and will not do that for you!

[guest]

gogo's right. may I suggest you look at HTML Purifier: http://htmlpurifier.org/