To avoid security problems on websites, you need to have different level of filtering of the data posted by the website users.
This generally comes down to something similar to this:
* A registered user can insert images and format his text (left, right, bold, etc.)
* A simple visitor can only write text.
The filter can do 2 things:
1) remove unwanted HTML tags;
2) Replace standard text such as <hello world> into proper code so it looks like plain text to a browser (i.e. <hello world>.)
It is to be noted that the filtering system could be used for many other text transformations. However, most of these transformations will take place when XSLT runs over the resulting output. Plus, the changes depend on the choosen output format.
At this point the user cannot choose the filters to be applied to a page, however, we have an XSS and the token filters that are fully functional, just not properly handled as far as how they get used. As we are working on the editor and AJAX, we will soon be able to implement the proper filtering behavior.