Hey,
This is clearly not the case. Because there are XSS vectors all over these
widgets.
Developers who understand security do not monitor code strewn about in
piles of wiki pages.
They in no way have the same level of gatekeeping as extensions.
So instead of writing a widget publicly visible, the random third party
admin who barley knows the basics of PHP goes write something that quite
possibly is not published anywhere and can have gaping security holes not
known to them and remaining so. You also mention stuff such as
Html::element. Guess what - they might not know about it. I have looked at
A LOT of extensions, and I can assure you that you have a rather rosy view
on the subject.
Cheers
--
Jeroen De Dauw
http://www.bn2vs.com
Don't panic. Don't be evil.
--