Why use a whitelist for HTML sanitizing?

Question

I\'ve often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input?

How many sneaky HTML tricks are there to open XSS vulnerabilities?

Answer 1

Because then you are sure that you don't miss anything. By explicitly allowing some tags you have obviously more control about what is allowed.

Whitelists are used in most security related topics. Think about firewalls. The first rule is to block any (incoming) traffic and then only open ports that are supposed to be open. This makes it far more secure.