[development] Re: Remove PHP filter by default

Chris Johnson chris at tinpixel.com
Sun Jan 29 22:11:01 UTC 2006

Karoly Negyesi wrote:
> On Sun, 29 Jan 2006 21:32:46 +0100, Raven Brooks 
> <raven.brooks at buyblue.org> wrote:
>> Why is the existing option to disable this or limit it to certain 
>> roles not sufficient?
> Because it takes exactly one badly written module to unleash hell. Yes, 
> it happened in the past.

Removing this filter is not going to fix *that* problem.  Without the PHP 
filter, I can still write a completely broken module that will unleash hell.

This is a good reason for having a quality module evaluation scheme.  Don't 
use modules that are poorly written if you want security.


More information about the development mailing list