Ah. I see what you mean. In a "real world" situation I'd expect this server-side code to be used in conjunction with an client-side "editor", such as TinyMCE. In that case, if a formula were pasted in (or anything else with angle brackets), then it would be sent to the server as < or whatever and so the parser/sanitiser wouldn't treat it in the same way you're seeing.
If a plain field were being used to accept HTML then I'd expect that user to be of the "power user" type and to know not to type in an unclosed < without it causing problems.
The "sanitiser" works on a whitelist of allowed tags/attributes. There are harmless tags removed, but when a user is creating content you really need to hammer down what they can use. For example, I only usually allow h4, h5 and h6. H1/2/3 are usually reserved for the actual design of the page in which their content will sit.
Ah. I see what you mean. In a "real world" situation I'd expect this server-side code to be used in conjunction with an client-side "editor", such as TinyMCE. In that case, if a formula were pasted in (or anything else with angle brackets), then it would be sent to the server as < or whatever and so the parser/sanitiser wouldn't treat it in the same way you're seeing.
If a plain field were being used to accept HTML then I'd expect that user to be of the "power user" type and to know not to type in an unclosed < without it causing problems.
The "sanitiser" works on a whitelist of allowed tags/attributes. There are harmless tags removed, but when a user is creating content you really need to hammer down what they can use. For example, I only usually allow h4, h5 and h6. H1/2/3 are usually reserved for the actual design of the page in which their content will sit.