white list don’t black list suggestion
We do whitelist; our whitelist wasn’t good enough. Think of the bouncer at a club door. If you’re not on the list, you don’t get in.
So has that convinced your ‘friend’ to not use a home baked HTML sanitizer?
No, we just improved it. That’s how code evolves. Giving up is lame.