How can I prevent certain HTML tags from being stored to Firestore with firestore.rules?

Something like this?

service cloud.firestore {
  match /databases/{database}/documents {
    function isClaims(claim) {
      return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.claims[claim];
    }

    match /foo/{id} {
      allow get;
      allow list: if request.query.limit <= 111;
      allow write: if isClaims("foo") == true
      // && ensure request.resource.data does not contain certain HTML tags here;
    }
    ...

Note:

• I have already validated user input on the client side.
• I haven't tried anything on rules because I have no idea at all.

If you want to prevent certain HTML tags from being stored in Firestore, I recommend you use regular expressions according to Google RE2 syntax. So to achieve this, I recommend you check Cloud Firestore Rules Reference, where you will find the matches() method. This method will allow you to check a value against a REGEX.