html: Decode html entities before sanitizing

Encoded entities can be used to bypass safety checks
Don't remove iframe when using xml_dom to balance tags