Text Formats, Filters, and Security

Long story sort, I’m kind of baffled by how Drupal handles user text input.

1) Why do text formats/filters come with a security warning? Why are they not secure by default? Seeing “Warning: This permission may have security implications depending on how the text format is configured.” is not reassuring to a site builder, and putting the burden on them to prevent XSS is not a great user experience.

2) Why are text formats/editors restricted by role to start with, instead of by field? Is this just a carry over from the bad old days of the PHP filter? Because how much markup you allow seems naturally more a part of what content the field is for, than who posted it. Yes, I know I can enable allowed formats, but (a) that doesn’t help with entity base fields and (b) It doesn’t stop it from feeling like the core handling is off.

3) Why is the “help text” (allowed HTML tags, etc) not only the default, but obligatory? Why is it not there when CKEditor is set up? Besides being kind of ugly and intimidating, it takes up a lot of screen relestate, especially when you’re viewing in mobile. It duplicates the information available through the “about text formats” link.

Source: https://www.drupal.org/taxonomy/term/2/feed