You mentioned that the users will log-in. This usually figures into our reasoning when we think about how much effort to put into rules. If the tool is for a defined group of users, you can put out an acceptable use policy. If/when someone does something bad you can follow some procedure for telling them. Repeated offenses can lead to revoking the service.

There are some arguments against that. All of that stuff takes effort (the warning) and that effort could have gone into making the system safer. You also need to consider the aptitude of the users. Are they likely to accidentally make mistakes in input? If so, the validation has another function which is making the system more usable.

So I guess I'm saying there are cases where you can leave it wide open, but it's a small subset of cases.

That leads to your other question, which is are there some subsets of acceptable tags that people have already defined? I'm very interested in the answers because I think you're right that this problem gets solved repeatedly all the time.