(my guess — only a guess! — is that client apps typically run the HTML through sanitizers, and what will succeed in being displayed is a function of divergent and unspecified choices clients make in choosing or configuring those sanitizers.)