Security check before writing subtitle

[met]

Subtitles are displayed byt innerHTML method: cueElem.innerHTML = simpleText;
This could be dangerous if subtitle text contains some malicious code.
That should be already handled by vttTextToSimple function that removes all unknown HTML tags, but what if any filter include some malicious code after vttTextToSimple call?

Better make some security check just before cueElem.innerHTML = simpleText; is written.
Make a list of allowed HTML tags (and their attribudes), remove the others, write warning to console.

subfilter/dist/subfilter-ui.js

Line 158 in 0046a57

cueElem.innerHTML = simpleText;