The following commonly used HTML tags (not an exhaustive
list), could allow a malicious user to inject script code:
<applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object>
An attacker can use HTML attributes such as src, lowsrc,
style, and href in conjunction with the preceding tags to inject cross-site
scripting.