Rework XSS filtering implementation for more use cases

Problem/Motivation

As of this writing we run the "replacement text" through Drupal's Xss::filterAdmin().

The problem is that this prevents legitimate use cases such as replacements that look like <$1> or <$1 $2>. The first example would end up as <$1> and end up breaking pasted content in usual ways.

Steps to reproduce

1. Install the CKEditor 5 Paste Filter module →
2. Add or edit a text format (/admin/config/content/formats)
3. Set the Text editor of the text format to CKEditor 5
4. Under CKEditor 5 plugin settings select the Paste filter vertical tab
5. Enable the plugin by checking the Filter pasted content checkbox
6. (optional) Customize the filters if needed. If you are customizing the filters, please provide details below.
7. Save the text format: Scroll to the bottom and click Save configuration
8. Add a new node using the configured text format (/node/add)
9. Paste the rich content into the editor

Search expression: <(strong|em) class="remove">
Replacement: <$1>

Proposed resolution

Rework XSS implementation to selectively strip tags rather than selectively allow.

List to block:

• script
• iframe
• style
• link
• meta
• html
• head
• body

Remaining tasks

TBD

User interface changes

None

API changes

TBD, should be none

Data model changes

None