Good question, security is always a concern.
Currently mojoPortal is using version 2 rc1 of FCKeditor, rc2 is available but I'm inclined to wait for the final release to change it.
Things I've done so far toward security:
- no dynamic sql statements are used, all data access uses either stored procedures or paramterized queries so I think we are safe from sql injection attacks.
- presumably users of the blog and html content modules are trusted users
- forum users may in some cases be anonymous so image uploads are disabled in the editor for the forums
Things I plan to do but haven't done yet:
- extra security checks in the image upload code
In my view security is an ongoing process. If you see any other holes or potential holes in the security that need plugging please let me know.