Javascript
Honestly, I don't see why this issue hasn't been addressed (it hasn't, has it?). Just do a simple (or many simple) preg_replace()'s of all JS code in posts, before posting. Remove <script*>*</script> and onaction="" in HTML.
I personally made a script that removes Javascript. One problem I ran into was that you could still use Javascript if you posted this:
Code: Select all
<b onclionclick=""ck="do_something_malicious();"></b>
Code: Select all
while (javascript_found())
{
remove_it();
}
People can put single </td> tags in their posts and break out of the page flow. Using the current BBcode system already in place (or being put in place as we speak...) phpBB should do an html_first_pass before posting, and an html_second_pass afterwards, to only output tags if two are found (<td></td>)
Allowed tags
I personally think this should be replaced with a list of DISALLOWED tags. To me it seems the current system only exists so people can't use </td> tags at all (unless allowed), but it's really just a quick 'n dirty fix that doesn't actually solve anything. Thinking ahead, it would also make WYSIWYG a major pain, because you would end up having a huge list of allowed tags. More practical to just have disallowed tags.
My two cents I want to know what other people think too.