Well, it isn't just about tags; it's about attributes as well. For example: one can abuse JS-events like
<img onmouseover="javascript:destroymybrowser();" src"verysexyimage.jpg" />
Of course JS events are easily blacklisted, but with the power of HTML5 comes a lot more. You could hook into the scripts that read stuff like
data-some-identifier-unique-to-this-site
etc. Getting all of this secure will result in building a complete HTML interpreter in PHP, almost like a rendering engine. That's brutal overkill for most situations where people post messages with minimal or BBcode at all, apart from basic links and quotes. I reckon such messages are about 95-98% of all bulletin board messages in the world.* However, you need to push all messages through this heavy interpreter to be secure.
I know it's an eternal ware between security and usability, but that goes for locking your home as well. It's much more convenient when you can leave your door open so you can easily walk in your home when you have your arms full with bags from the grocery store. However: most people choose to lock their doors just to be on the safe side.
*) this is just my gut feeling, not based on statistics.
My extensions:
Simple CMS, Feed post bot, Avatar Resize, Modbreak, Magic OGP, Live topic update, Modern Quote, Quoted Where (GDPR) and Autoresponder.
Newest: FAQ manager for 3.2
Like my work?
Buy me a coffee to keep it coming.
-Don't PM me for support-