On Feb 18, 2008 9:46 PM, Tim Starling tstarling@wikimedia.org wrote:
It's safe to allow sysops to insert arbitrary HTML into pages. This is because we trust sysops. If it's unsafe to allow them to add arbitrary HTML, we should immediately remove their equally dangerous ability to edit MediaWiki:Monobook.js. But we don't, because we trust them.
A security model has to be derived from a threat model. There is no threat which would be eliminated by removing all HTML messages. There is also no threat which would be eliminated by scaremongering in source code comments for several years.
Well, I've said all that to Brion, but he didn't agree. :) He wants to get rid of all HTML-permitting messages. Actually, I think part (most? all?) of his concern is that sysops shouldn't be expected to know HTML, or to be capable of outputting remotely valid HTML, and so formatting should always be achieved via wikitext. Or something like that. It's been a while.