Quote:
Originally Posted by andreas
If HTML gets allowed, JavaScript must be disabled and disfunctional in posts.
This way, I would not see any security hole. HTML is static ... no life inside.  |
As has been shown many, many times, it is highly non-trivial to actually filter out every last bit of malicious code.
And besides that you also need mechanisms to prevent HTML posts from seriously messing up the forum layout (a simple example from long ago, which admittedly probably/maybe doesn't work anymore these days, are unclosed tags, resulting in mismatched tags in the actual forum layout and hence boxes going too far, etc.).
And even if all that was very unlikely (and I'm not so sure just how unlikely it is), still, why even risk it at all? Can you name any legitimate (read: other than playing silly little games with the board) use?