A bit back Footman posted a blog on Flash uploads and related security issues. I replied there at a bit more length, and will repeat my notes here on how to disable Flash embedding in iWiccle if any webmaster feels the need to do so. (These and other informative forum posts will gradually be pooled into Tutorials.)
---
The TinyMCE editor used in iWiccle has been configured by default to allow "embed" and "object" tags (that let you embed flash objects from remote sources), such as a Flash video into one of these forum posts.
If someone wishes to remove the flash-embedding capability from the post editor, you can open up tiny_mce_init_full.js under /plugins/tinymce/ and remove the line "extended_valid_elements" from the configuration, along with the "media" entry from the theme_advanced_buttons2 toolbar configuration to remove the front-end for it.
To complete the filtering at server-end, browse to Admin CP > System > Security and edit out the entries for "embed, object, param" from the allowed tags whitelist for posts. Neither of these two affect the Admin editor in Wiccle Builder — that's separately configured (in tiny_mce_init_admin.js). These TinyMCE initialization scripts are also the place where you can reconfigure the toolbars for your editor(s) (refer to TinyMCE Wiki -> Button / Control reference).
Remember that whatever tags you may allow or disallow in TinyMCE, you will need to have it reflected in the Security section, as it doesn't take a great deal of hackerhood to circumvent the TinyMCE's tag filtering setup and get to posting raw data into the system.
