I’m building some web app where users are allowed to style their textarea input. I will use tinymce for that, so my question is, is it enough to filter HTML data with DOMDocument class by whitelisting HTML tags and attributes? Am I safe from XSS attacks?