Multisite Security

They can’t embed iframes anyway; they get stripped by default. Multisite is actually more secure than regualr WordPress in that way.

So am I safe to just leave it as-is and there will be no way for users to integrate virus downloads/malicious java applets/javascript.etc?

Is there a way to define a list of blocked tags?

Look in the kses.php file and see what it blocks – by default, it works exactly like how scripts get stripped at wordpress.com blogs.

Go try it for yourself. ??

Is there a way to define a list of blocked tags?

Yes, by (re)defining the lists of allowed tags. This can be done with a “mu-plugin”:

add_filter('edit_allowedposttags', 'ds_allowedposttags');
add_filter('edit_allowedtags', 'ds_allowedtags');

function ds_allowedposttags() {
   $allowedposttags = array(
//fill this array with post tags as in wp-includes/kses.php
);
   return $allowedposttags;
}
function ds_allowedtags() {
   $allowedtags = array(
//fill this array with comment tags as in wp-includes/kses.php
);
   return $allowedtags;
}

Thanks for that – So I am safe to release the site without risk of viruses?

One last thing – How can I set it up so that each user can setup their own site but so that they only have one each?

Yes you;re safe.

https://www.ads-software.com/extend/plugins/limit-blogs-per-user/

Thanks for that!