Excellent comments, that is the right approach. On 3/13/07, Joakim Stai <joakimstai@gmail.com> wrote:
I think some developers need to lay their personal issues with WYSIWYG editors aside and acknowledge that it is wanted and needed by many end users of Drupal. It's something so important for so many users (also potential ones) that it should be something easy to implement and safe to use.
I see the issues many developers have with these editors. But instead of writing it off as the devil's work, we should promote the safest possible use of these editors, particularly in the handbook and on the project pages of the editor modules.
As for the <font> tag from hell, I tend to remove its toolbar controls from TinyMCE and instead give my customers the Styles dropdown containing classes of the website's CSS (or a separate CSS file). As a bonus, this makes for much cleaner code and easier to read texts. I don't give them the "Edit HTML code" button either. I'm also looking into HTML Purifier which with its whitelist stops XSS and creates standards compliant code.
From the HTML Purifier website: "Even the most dogmatic purist, however, should recognize that for all its faults, prospective clients really want rich text editors. There are steps you can take to mitigate the associated drawbacks of these editors." -> http://hp.jpsband.org/comparison.html
Drupal module here (beta): http://bart.motd.be/projects/html-purifier-drupal-module