I love the SilverStripe CMS. However, I periodically get frustrated with one aspect, one involving the TinyMCE-based page editor's default configuration. Each time I upgrade, I have to hack the editor's configuration so it doesn't strip out certain HTML tags after using the HTML-source editor. I often spend a couple of hours searching for my hack in the previous SS installation's source. Sometimes the old hack works. Sometimes it doesn't and I have to search for the same SS forum postings that helped me the last time. I am convinced that hobbling TinyMCE in this way is unnecessary and counterproductive for several reasons:
1) TinyMCE is less prone to abuse within SilverStripe: I could understand the rationale for having TinyMCE strip out certain HTML tags when used in the context of a blog's reply functionality or a forum's posting functionality. It's wise to keep random miscreants from injecting code and XSS exploits into a blog, even at the cost of decreased functionality for others. However, in SilverStripe's case, TinyMCE is used internally, by website content managers who probably have a direct interest in their content's safety. There isn't that much need, from a security standpoint, to limit what these users can do. Such users would have to go out of their way to do something harmful through the source editor.
2) Tag-stripping irritates power users: When the WYSIWYG part of the editor proves inadequate, it's nice to drop into the HTML-source editor and write exactly what you want. Except when SilverStripe strips it out! Maybe my embedding of Javascript within an article is questionable, and the need of a hack to enable it is reasonable. But I realized things had gone too far when SilverStripe 2.3.4 turned out to strip HTML-form-related tags from pages that need plain-old HTML forms. C'mon! Stripping out <form> and <input> tags? <ridiculous>This is</ridiculous>!
3) Tag-stripping is irrelevant to regular users: I applaud the SilverStripe philosophy of focusing on the CMS editor's usability for non-programmers. I understand that such a CMS editor may omit some features that technical users would like. However, the HTML-source editor is strictly a power-user feature, not a regular-user feature. Whether HTML tags are stripped out from HTML source should be irrelevant to regular users. If such users use the HTML-source editor, it must mean the WYSIWYG editor is very inadequate, that they are curious to see what the HTML button does, or that a Power User has emerged from its cocoon.
If there are good reasons for crippling the HTML-source editor, I'd like to know them. Otherwise, I hope to see future SilverStripe versions that ship with an uncrippled source editor, ready for power users right out of the box. Some existing niceties should be kept (such as transforming <b>s into <strong>s and <i>s into <em>s) but the stripping of other HTML tags (and HTML comments) should cease. I look forward to being able to easily shoot myself in the foot in the future. (Maybe it's time to take that old programmers' joke and make an HTML/WYSIWYG-editor version...)