There are actually huge security holes here. You can pretty much add any attribute if you leave spaces between the brackets.
< script >alert('Gotcha')< /script >
test
+++ Rick ---
>If you try to preview or save a message with an unsupported HTML tag you get an error message. The message lists the tags that are supported, but that list is incomplete.
>
>For example, the
Superscript tag is supported.