User input is only put through security filters if it is brought into the script through ad_page_contract. The message-post script brings the values in by calling form get_values. This isn't necessarily a problem, since formtemplating allows you to set up -validate blocks of code to make sure the user inputs valid information and then give user-readable feedback about error. Unfortunately, no -validation was set up in the message-post script.

I would rather not see a forced security filtering of everything coming through user feedback through the rp. There are times when allhtml should be allowed (edit-this-page comes to mind, as well as admin pages). The tools already exists to do proper validation, as developers, we just need to be sure to use them.

I have thought for a long time that it would be useful to be able to use the ad_page_contract filters outside of the ad_page_contract block of code. There have been many times that I have needed to bring variables in that I won't known the names of until the proc is used. In these instances I've relied on the trusty ns_queryget, which does no kind of validation or :trim, etc. At one time I tried to see how such a proc could be constructed, but gave up for lack of time. I envision such a proc taking all the arguments of the -query section of ad_page_contract and grabbing the appropriate query variable and setting them up locally. Possibly like:

set varname [lindex $list_of_vars 0]

ad_queryget_vars $varname:trim

I know I would find such a proc very useful.