21 Feb
2007
21 Feb
'07
2:53 p.m.
I sometimes wonder why we even bother doing <http://drupal.org/security>.
Unless you are the only user posting on the site, setting Full HTML as the default input format is both 1) the easy way out and 2) insecure.
1. You can simply investigate which tags are needed and add those to the HTML filter.
2. Insecure, because you allow all users to execute cross site scripting attacks.
Ideally, it'd be nice if comments could have their own input format. With the authors of the site, I need them to be able to be able to put in html. With commenters, all I want them to do is plain text. - jody Sent using the Microsoft Entourage 2004 for Mac Test Drive.