solo turn wrote:
do you know a good example which shows this "VERY dangerous"? dangerous for whom? if somebody adds a javascript function that changes the admin password and hopes an admin would click on it?
That's one of many possibilities, yes. For background information, google up cross-site scripting attacks as well as general browser vulnerabilities (including among other things ActiveX malware and various image decoder and other buffer overflows which could be exploited on unpatched browsers by HTML injection).
Hijacking trusted site permissions to install malware on the client machine, hijacking sessions to gain admin privileges on the wiki, installing password sniffers, etc. (Remember that many people use the same password on many sites.)
we do not need real raw html, just the styles. do you see any danger in having the <style> tag enabled?
Internet Explorer executes JavaScript expressions and javascript: URLs in CSS styles, so you'd want to be careful about filtering these. We do some checks for that on style attributes in embedded HTML in the wiki.
-- brion vbber (brion @ pobox.com)