HTML input can be perfectly safe.
I think you're mistaking "badly implemented, unchecked, raw HTML input" with "intelligently secured and whitelisted HTML input".
Though granted, bbcode is often easier for the users to understand. If you don't want to allow flash embedding (and you shouldn't), just don't whitelist those tags.
If you don't want the onhover attribute for elements (and again, you shouldn't), just strip those out. There is nothing intrinsically unsafe about HTML descriptions, idiotic developers are where the problems lies.
|