I wrote the first patch to block the use of the <image>
element and I suppose I can keep on adding to the code
(it's just a regex....
IMO, the most valuable lesson we can pull from mousey's little mini-exploit is to filter homenode HTML positively ("allow only safe elements") rather than negatively ("deny only the unsafe elements that we thought of").
And now, the less valuable lesson, all IMHO:<soapbox>
That's not my read on the situation at all.
From mousey's original post, and from what he actually did with the vuln he found, I see his attitude as (naive) exuberance: "hey, cool, you can get around the no-images-before-level-5 filter with a crufty HTML hack!" That "hey, cool" attitude is central to hackerdom; without scruffy programmers doing the unexpected, we'd all be grinding out COBOL, JCL, and PL/I for a living on massive time-sharing systems from IBM. We need to protect that attitude, and nurture it, not restrict and ostracize it.</soapbox>