I’ve created the wiki page for the RFC here: http://wiki.phpbb.com/PhpBB4/RFC/Multiple_Editors
The current parser used within phpBB3 is a BBCode parser that allows for custom BBCodes, but just as an administrator using phpBB2 was able to add an HTML tag that made the board vulnerable to XSS, you can do the same with the BBCode parser, so are we really any more secure using BBCode than we are with HTML?
Many Web-Applications include at least basic HTML support out of the box. MediaWiki, WordPress (pages, posts and comments), vB. - when both whitelisted and filtered properly, I believe you can have a secure HTML parser, or at least as secure as the BBCode processor. But the real reason I believe users commonly ask for HTML support is that they want more familiarity and flexibility in formatting for posts.
However, what if phpBB4 actually enabled users to choose the markup format they wish to use in the post they are making. A list of options could be given to them when making a post, or set in the user preferences for the default editor preference:
- Plain Text
- BBCode - What’s phpBB without BBCode?
- Markdown - Would need to be modified, includes some HTML support.
- Textile - Would need to be modified, includes some HTMl support.
- WYSIWYG - Popular GPL options include: (F)CKEditor with jQuery, and TinyMCE.
- rawHTML - A whitelist only parser.
This would enable users to use the editor that is most familiar to them and enabling them to create content faster and easier while improving the user experience.
Each editor option could be loaded in as a plugin and would have the option of being enabled or disabled by the administrator. Third party developers could create a LaTeX editor plugin for example.
Markdown reference:
http://daringfireball.net/projects/markdown/basics/
Textile reference:
http://hobix.github.com/hobix/textile/