Hi Chris,
yes, the onclick for starters. Indeed any JavaScript would make it "unsafe".
It should be pointed out that "unsafe" does not mean it's bad. It means you are responsible for making sure it's not malicious. The whole point of this is to prevent rogue users from "injecting" unsafe html into your site.
For example, say you allow an HTML editor on your page. Then I can enter stuff in there, including normal html tags, plus JavaScript and so on. If you then display my input verbatim, then anyone who sees my input is also running _my_ JavaScript code (that I'd "injected" on to your site.)
NetTalk, as a framework, obviously applies a lot of attention to security, and we try and default to "safer" options. Thus you need to explicitly allow html to be used in common data places (like headers, browses, forms etc). this was then expanded to the next level to identify a bunch of html as "harmless" and the rest as "potentially unsafe". There are places where you want to use "unsafe" html, because you wrote it. You just need to be sure _you_ wrote it, not one of your users.
So there's nothing wrong with making your own code "ok" - what you _really_ don't want to do is expose code as "ok" which is coming from your database or from an uploaded file or something like that.
cheers
Bruce