If your HTMLField is used on the front end or if you have a rogue user in the admin it allows XSS attacks.

Validate that the HTML is correct. Limit the html tags used in the tinymce settings prevent "javascript:" and similar attacks in src and href attributes

Did you try it? Django should HTML escape any field values rendered in templates unless you mark it safe using mark_safe(). Furthermore, the django.contrib.flatpages application also allows raw HTML in the content field, so this is not any worse.

Filtering HTML is a subtle business. The goal of the tinymce application is just the form widget, so I am hesitant to let it do anything more. For example, limiting HTML in TinyMCE will not protect you against people who POST the form by hand.

In short, I feel this issue falls beyond the scope of the tinymce application.