Hi,

The thing to understand is that the editor is a convenience tool to help write html without knowledge of html. It is NOT a security feature. If a user disables javascript in their web browser the editor will disappear completely there will be a textarea and the user can then enter raw html or add javascript or do anything they want. So if you are thinking the editor can stop users from doing bad things, it cannot.

You "could" edit the toolbar configuration to leave out the view source tool button, however, the places where the editor has the view source button are only in places where the features expect trusted users. For example the blog comments and forums do no expect trusted users so they don't have as many toolbar options, but the Html content feature and the Blog feature do expect users with edit permissions to be trusted users. You should not allow untrusted users to edit those features. See the section of What mojoPortal is NOT designed for on the About page.

Note that while we don't include the view source toolbar in places where untrusted users can edit content, we don't rely on it for security and we assume that users can manage to enter malicious content by disabling javascript as mentioned above, but we have other means to protect against untrusted content entered by untrusted users. We use a tool called NeatHtml to wrap around untrusted content and prevent any script from being executed.

Hope that helps,

Joe