Tom, running as root means that in OpenACS a "regular-looking " user is very often also an administrative account e.g. on openacs.org there is a bunch of people that have access to acs-admin (how many?)
So if someone of these folks is logged in and surfing the forums, he's entitled to do administrative tasks as well. Even worse if that person is surfing other sites, "dodgy" http requests may lead to "dodgy" requests on openacs.org.
So my analogy is: think Linux and you fire up firefox from your root account to surf the web.
(Windows users know that situation quite well: they usually use an "Adminstrator" account all the time)
Instead of trying to sanitize and parse html code to death we should just take Barry's sudo package and also add a switch to the form_builder and ad_page_contract to require a "second" login for pages where it seems necessary e.g. an order confirmation page or user-dependant "nuke" pages.
Would this require a TIP? Or is it considered a security fix ?