Encoded entities can be used to bypass safety checks
Don't remove iframe when using xml_dom to balance tags