Forum OpenACS Q&A: Re: Thanks for ETP 2

6: Re: Thanks for ETP 2 (response to 5)
Posted by Jeff Davis on
Ben, you are talking about something entirely different. The issue with the bio being html vs. not is unrelated to this; for the bio it's simply that no one has taken the time to make the bio allow mixed formatting (richtext, html, plain). The technical consideration here is that for every field you want to change to allow mixed formatting like that you need to carry around the "format" field as well.

I think it's important to fix but it's really pretty unrelated to the issue of what html is safe to allow through versus not.

I think good security is not something we should sacrifice for ease of use (at least not by default); look at the reputation phpNuke et al have for security laxness. Much of it springs from a history of these sorts of exploits. Ultimately it's something that, if we want OpenACS to be acceptable for anything other than personal sites, we need to take care not to permit.