One thing that would help me is defining multiple default input formats. So, untrusted users get the WYSIWYG editor with filtered HTML by default, trusted users get the WYSIWYG editor with less filtered HTML by default. And I would prefer that the trusted users not even have access to multiple input formats, it just adds more clutter to the form.. --mark On 3/12/07, Karoly Negyesi <karoly@negyesi.net> wrote:

Hi,

I would like to put a note on fckeditor and tinymce (and offspring) and any other WYSIWYG project pages minus WYMeditor:

If you use this module, then please do not ask for support on any other module or core and please note that you might or might not face security problems.

Reason:

http://drupal.org/node/84797 http://drupal.org/node/121276

Regarding the latter, Greg agreed with me regarding the note above. Regarding security, those who use such a module, might be inclined to relax the tight security of filtered HTML to allow fancy features of the editor and there it goes. Indeed what you see is what you get even if it's XSS.

Regards,

NK

On 3/12/07, Karoly Negyesi <karoly@negyesi.net> wrote:

Regarding security, those who use such a module, might be inclined to relax the tight security of filtered HTML to allow fancy features of the editor and there it goes. Indeed what you see is what you get even if it's XSS.

As for XSS, there is a HTML Purifier (http://hp.jpsband.org/) module for Drupal being developed outside of drupal.org, worth checking out: http://bart.motd.be/projects/html-purifier-drupal-module