AntiSamy uses home-grown methods of being very specific about what is and is not allowed to come into the application. And what's very nice about it is that it already includes configuration for several profiles - online sites that allow HTML. These profiles somewhat match the profiles of those websites. For example, the slashdot profile is pretty restrictive, while the MySpace profile allows quite a bit more.
To be honest, I don't know how much better AntiSamy is than using a DTD, Schema, or RelaxNG to validate the HTML, *except* that there are additional rules that have to be validated with logical tests.
One thing that occurred to me while working on a mock-up of using XML validation to perform this validation is that <img tags (or anything with a remote URL) requires special consideration to deal with the possibility of XSRF against other sites. For example, if an attacker finds an XSRF vulnerability against some site, it's in their interest to get that URL injected in as many places as possible. One way to do this is with <img tags in sites that allow them to come from remote sites, or url() constructs in style attributes where a url is permissible. In order to deal with these, the best way I came up with is to have the server fetch the resource when the tag is entered, then when the page is rendered, to reference the URL locally. (This also gives the user the benefit of having a static version of an image, even when it expires off the original site).
Anyhow, cheers again to OWASP.