Good question, security is always a concern.
Currently mojoPortal is using version 2 rc1 of FCKeditor, rc2 is available but I'm inclined to wait for the final release to change it.
As you note, one must turn off the built in validation because posting back html content is potentially malicious. I don't currently see any potential server side threats other than possibly through the image upload mechanism. I supose it is currently possible for some kind of client side exploit to be added to page content using javascript. If you see any other potential issues please elaborate.
Things I've done so far toward security:
- no dynamic sql statements are used, all data access uses either stored procedures or paramterized queries so I think we are safe from sql injection attacks.
- presumably users of the blog and html content modules are trusted users
- forum users may in some cases be anonymous so image uploads are disabled in the editor for the forums
Things I plan to do but haven't done yet:
- extra security checks in the image upload code
- use regular expressions to remove any javascript that may be included in a post
In my view security is an ongoing process. If you see any other holes or potential holes in the security that need plugging please let me know.