The Security module enables you to set the sanitization level you wish to use throughout your Enterprise solution.
There are 3 levels of restriction, 1 being the the least and 3 being the most restricted.
Here is the list with the 3 levels:
Level 3: Uses a highly restricted whitelist of HTML tags, attributes, styles etc. to prevent cross site scripting. Note that this sanitization level will disallow CSS and most embed codes from external services, such as YouTube, Instagram, etc.
Level 2: Uses a less restricted whitelist which will block all scripting, but still allow iframe embeds and CSS.
Level 1: No sanitization of content. All HTML will be allowed in content generated by users and editors.
If not changed, Level 2 is set as default: