I have looked at your patch and made a couple changes.
HR should probably be allowed by default since util_close_html_tags is
not really the right place to filter tags (I am not even sure about
nuking blink and marquee tags despite my hatred of them). HR is quite
legitimate in a number of places the function has been used.
I changed BODY and HTML change to "remove" (otherwise if someone naively
submits a full page it will all be discarded while what you probably
want to do is discard <HEAD>...</HEAD> and simply remove HTML and BODY.
I changed the default to be remove rather than discard for
unknown tags since the consequence of discard would be removing
everything after a misspelled tag (like someone typing <STRNOG> for
example). I am not really that sure I like removing unkown tags
but I am willing to go along with it and see if it causes anyone
problems.
btw, your example of <h2><h2/></h2> is not such a good one since
strictly speaking <h2/> is a singleton tag not an unknown tag
although I guess a number of browsers will not treat it as such
without a seperating space.
