And to clients, the only real risk is in non-HTML goodies like JavaScript and ActiveX, which can be very easily filtered

I have to disagree with this. It is easy to filter out the obvious forms of JavaScript and VBScript embedding, but due to the flexiblity of the browsers (particularly IE) it is difficult to filter out all the various ways that that script can be embedded and executed.

With our intranet apps that I have mentioned before we had to give up in the end with attempting to filter out script. We would keep thinking we had picked up all the cases and then one of us would come up with another crafty method to sneak some script in and get it executed.