First of all - thanks for this template, much appreciated.
I've been asked if it's possible to allow OBJECT, EMBED and PARAM html. It looks like it should be if I could work out what the regexp should be but that's probably unlikely!
XSS has been an issue for us but isn't always as some sites are for small groups of students and their lecturers.