My opinion is, that you have a legitimate concern when considering the possibility that certain html being posted in comments on a blog, could be dangerous. The other side of that coin however, is that there is already a WordPress core file that limits the html tags that are allowed in comments by default. The file is named kses.php and can be found in the /wp-includes directory.
If you take a look inside that file – and you can see it here – beginning on line 395 you see this:
395 $allowedtags = array(
Below that line, is a list of html tags that wordpress allows to be used by default. The tags that are NOT allowed, will be preceded by two forward slashes // which means they are “commented out”, or not allowed to be used in this case. If you remove the slashes, the tag will then be allowed, and placing slashes in front of an entry that has none, will disallow it.
So as you can see, the list of html that can be used in comments is pretty short, and doesn’t really present much of a concern. I understand that this can be overridden in a themes functions.php file. I took a look in the iNove functions.php file, and I don’t believe I saw anything that indicates that those rules have been overridden or changed for use in the theme.
Here is the long and the short of it:
a) I can’t think of any reason why you should have to spend your valuable time editing the themes files for this. My advice is to leave the files as they are so that you can enjoy the theme in a fully functional capacity, with all the features intact. You can do this by simply replacing the theme with a fresh copy. (I think There is a newer version available by the way)
b) Although I can appreciate the concern you have for html in comments, I truly don’t think you are at any greater risk than any other forum, blogging platform, chat room, or other software that allows visitors to interact with each other.
c) I don’t think you need to change anything relative to the html tags in comments. I wouldn’t hesitate to use that theme just the way it is. In fact I have used it in the past.
Just my opinion.
Here is an article that might help to explain how wordpress uses that file to filter the allowed tags. When you compare what you see there, with what you see in the file ( the link I posted above ) it makes more sense.
https://ottopress.com/2010/wp-quickie-kses/
Best wishes!
[edit] just an afterthought… having edited the kses.php file, and not being sure of what was what, you will most definitely want to replace it with a fresh one, or you could end up having some difficulties.
??