Absolutely, the proper solution is to add in to the filtered HTML input filter those tags which are secure and absolutely indispensable. Very important point. Victor Kane http://awebfactory.com.ar On 2/20/07, Heine Deelstra <hdeelstra@gmail.com> wrote:
Victor Kane wrote:
You must either change the default input filter to full html, or else edit the off-the-shelf default "filtered html" to include the basic tags users create with tinyMCE.
I sometimes wonder why we even bother doing <http://drupal.org/security>.
Unless you are the only user posting on the site, setting Full HTML as the default input format is both 1) the easy way out and 2) insecure.
1. You can simply investigate which tags are needed and add those to the HTML filter.
2. Insecure, because you allow all users to execute cross site scripting attacks.
Regards,
Heine -- [ Drupal support list | http://lists.drupal.org/ ]