I looked at the HTML stripper, and to be secure I think
you should also strip the elements <style>, <frame> and
<link> as well as the attribute "background".
There are also more intrinsic events that you don't
check for, such as onDblClick and whatever they're
called. Check W3C's HTML specification for details.
// Ulf Härnhammar