Hi!
- HTML validation - our current security model relies on the HTML
being generated server-side by a wikitext parser. If we cut wikitext out of the loop, we'll need some other way of ensuring that people can't inject arbitrary Javascript/Flash embedding/Java applet/ActionScript/iframe or any other security horrors.
There are tools like HTML Purifier which are pretty good at it, though performance of those are not stellar, especially on big texts. The Purifier pretty much disassembles it into DOM, validates that, throws out what it doesn't like and reassembles it back. Which is not very fast in PHP, but is pretty strict. Still, there's a chance people could sneak something past it.