Absolutely, the proper solution is to add in to the filtered HTML input filter those tags which are secure and absolutely indispensable.<br><br>Very important point.<br><br>Victor Kane<br><a href="http://awebfactory.com.ar">
http://awebfactory.com.ar</a><br><br><div><span class="gmail_quote">On 2/20/07, <b class="gmail_sendername">Heine Deelstra</b> &lt;<a href="mailto:hdeelstra@gmail.com">hdeelstra@gmail.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Victor Kane wrote:<br>&gt; You must either change the default input filter to full html, or else<br>&gt; edit the off-the-shelf default &quot;filtered html&quot; to include the basic tags<br>&gt; users create with tinyMCE.
<br><br>I sometimes wonder why we even bother doing &lt;<a href="http://drupal.org/security">http://drupal.org/security</a>&gt;.<br><br>Unless you are the only user posting on the site, setting Full HTML as the<br>default input format is both 1) the easy way out and 2) insecure.
<br><br>1. You can simply investigate which tags are needed and add those to the HTML<br>filter.<br><br>2. Insecure, because you allow all users to execute cross site scripting attacks.<br><br>Regards,<br><br>Heine<br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/">http://lists.drupal.org/</a> ]<br></blockquote></div><br>