[development] Re: Remove PHP filter by default
Chris Johnson
chris at tinpixel.com
Sun Jan 29 22:11:01 UTC 2006
Karoly Negyesi wrote:
> On Sun, 29 Jan 2006 21:32:46 +0100, Raven Brooks
> <raven.brooks at buyblue.org> wrote:
>
>>
>> Why is the existing option to disable this or limit it to certain
>> roles not sufficient?
>
> Because it takes exactly one badly written module to unleash hell. Yes,
> it happened in the past.
Removing this filter is not going to fix *that* problem. Without the PHP
filter, I can still write a completely broken module that will unleash hell.
This is a good reason for having a quality module evaluation scheme. Don't
use modules that are poorly written if you want security.
..chrisxj
More information about the development
mailing list