As a general rule, yes. Providing HTML editing in any publicly accessible part of a web app is one of those "bad things" you typically want to avoid. Here's just one example of why:
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/112923 2391 --- Kevin Graeme Cooperative Extension Technology Services University of Wisconsin-Extension > So should all html be treated as bad and block it? > > >HTML editors cause a couple of problems: > > > >#1 - you can break the HTML. > >#2 - you can PASTE IN any html you want into tinyMCE.. you'd have to > >parse out the tags you don't want.. and it could still be > broken html. > >#3 - wysiwyg html editors are slow loading, evne at their most basic. > >#4 - wysiwyg html editors very browser dependent. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:233220 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
