I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?
How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything?
If you leave something off a whitelist, then you just break something that wasn't important enough for you to think about in the first place.
If you leave something off a blacklist, then you've opened a big security hole.
If browsers add new features, then your blacklist becomes out of date.