If you are using the
AllElements option for WhiteList you can choose various sets of elements and attributes to allow.
Safe- a very restricted set of elements and attributes is allowed. Hyperlinks, images, forms, scripting, inline styles and so on are not allowed.
Safe, but hyperlinks, images and client-side scripting are allowed. Some cross-site scripting is possible as a result.
Unsafe, but form controls are also allowed. This allows some potentially very nasty cross-site scripting attacks to be carried out with ease if an attacker is able to influence the String being converted, so use this with extreme caution.
None of these allow the direct addition of <script> elements or the
onX event handlers.