-> I'm not sure that raw html should be a problem, as long as the
-> htmlsanitizer and htmlbalanced plugins are enabled. I can see filtering
-> out directives, as a special case. --[[Joey]]
-
->> Right, if I sanitize each post individually, with htmlscrubber and either htmltidy
->> or htmlbalance turned on, then there should be no way the user can forge a comment;
->> I was initially wary of allowing meta directives, but I think those are OK, as long
->> as the comment template puts the \[[!meta author]] at the *end*. Disallowing
->> directives is more a way to avoid commenters causing expensive processing than
->> anything else, at this point.
->>
->> I've rebased the plugin on master, made it sanitize individual posts' content
->> and removed the option to disallow raw HTML. Sanitizing individual posts before
->> they've been htmlized required me to preserve whitespace in the htmlbalance
->> plugin, so I did that. Alternatively, we could htmlize immediately and always
->> save out raw HTML? --[[smcv]]
-
->> There might be some use cases for other directives, such as img, in
->> comments.
->>
->> I don't know if meta is "safe" (ie, guaranteed to be inexpensive and not
->> allow users to do annoying things) or if it will continue to be in the
->> future. Hard to predict really, all that can be said with certainty is
->> all directives will contine to be inexpensive and safe enough that it's
->> sensible to allow users to (ab)use them on open wikis.
->> --[[Joey]]
-