I've done a couple of tests to see what code is accepted by the WYSIWYG:
- Entering a javascript Wufoo form
- Enterning an HTML PHP form
no.1 looks like it's been commented out by Pagelime, no.2 works as expected.
I think it's a real security risk allowing users (especially the non-tech clients I serve) to put whatever code they like into the WYSIWYG. I'm no expert on this so don't know how vulnerable a static PHP site would be but I'm assuming there are some trolls out there that will jump at any opportunity.
Are there any safeguards in place right now? If not it might be an idea to allow blocking of embedded scripts, most users just want to add videos / images so something like Oembed could replace it.
Think I'm right in thinking you guys are working on a Wufoo API anyway so using that and Oembed would tighten things up nicely and make sure we're not opening ourselves up to spammers. This would make sense for when you guys get huge!
I've put in a request for this at uservoice ;)
~ Rob
