This is in fact an idea mentioned by dougiamas on #mootukie16, since antiviruses_scan_data is implemented, HTML can be scanned on output as well, as some malicious html content could already be stored either before antivirus scanning of html has been implemented, or at storing point antivirus did not know it is malicious.