Something like this?
service cloud.firestore {
match /databases/{database}/documents {
function isClaims(claim) {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.claims[claim];
}
match /foo/{id} {
allow get;
allow list: if request.query.limit <= 111;
allow write: if isClaims("foo") == true
// && ensure request.resource.data does not contain certain HTML tags here;
}
...
Note:
If you want to prevent certain HTML tags from being stored in Firestore, I recommend you use regular expressions according to Google RE2 syntax. So to achieve this, I recommend you check Cloud Firestore Rules Reference, where you will find the matches() method. This method will allow you to check a value against a REGEX.