Malte, a few of the tags mentioned in your original posting seem to be a result of cut&paste from word. I would not move these to the allowedTags but rather recommend to use the msoffice-clean functions of newer incarnations of htmlarea such as xinha.
The core of the discussion is that one can implement very nice functionalities (which would be quite important to provide good content creation tools for oacs/dotlrn) by being more liberal; for example, i have developed an html-area-based wiki of the last days, but without images it wont be as nice as it is now.
In general i agree that for the toolkit the conservative (non-liberal) approach should be standard. At the same time i think we should provide options for site admins to configure their system to be in certain situations more liberal by:
- permission checking for potentially unsafe allowedHTML properties
(certain users are allowed to use potentially unsafe HTML-Tags) - define parameter with regexps for trusted (partial) URLs for hrefs, img-src, link, applet ...
i do not see currently the danger of including images from e.g. the icon library administered by the sysadmin. - check urls for untrusted charactes, patterns etc. to prevent javascript invocations.
A combination of the frist two options seems to provide a good deal of protection, the last option should be done always (we do this via pound anyhow).
Btw. there is a recent article about cross site scripting that demonstrates creative ways to use css for exploitation
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391
