Quote:
I cannot understand it.
What's the evil?
German humour, hard to understand...
Maybe you have a bit time to give me deeper knowledge. The big question is: if html is allowed, HOW it will be injected? Just by adding script-code into the wysiwyg-editor window? In this case tinymce will escape it. Let's assume you are allowed to switch to html-view. There of course you can add script-code. This time the script portion will be stripped, because it is not on the whitelist.
Maybe you want to have a look at
http://tinymce.moxiecode.com/example_full.php?example=true and try to add a form or a script.
This is what I meant with client-side sanitizing.