Hi everybody,
More updates on this issue:
1 - AllowedTag is working for HTML code supplied as URL vars for ad_page_contact. I guess I had a cache problem. Sorry about that.
2 - Torben is right about our security in ad_html_security_check The checks done by this proc are good, but they don't answer to more sofisticated atack scenarios. I'm looking at some encoding tips to fix this matter: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
3 - XoWiki doesn't run ad_html_security_check for supplied HTML code. That's where I'm working now, and if anybody can give me a clue about HTML parsing on XoWiki it would be helpfull.
Best regards and thank you for your comments.
