We are formalizing our cross-site scripting defense by implementing HTML sanitizing using the Open Web Application Security Project (OWASP) Java HTML Sanitizer. We realize that this kind of security is a moving target, and we will do our best to address known threats. For organizations that require formal acknowledgement of XSS protection intent, please enable this setting. If you need to be able to implement non-compliant features, such as embedded rich HTML, you have the option of leaving it disabled.
The current list of allowed elements are: "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", "br", "ul", "ol", "li", "span”. Note this list is subject to change as security is a moving target.