Index: fckeditor.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/fckeditor/fckeditor.module,v
retrieving revision 1.19.2.6.2.59
diff -u -r1.19.2.6.2.59 fckeditor.module
--- fckeditor.module	19 Nov 2008 12:53:24 -0000	1.19.2.6.2.59
+++ fckeditor.module	25 Nov 2008 14:38:25 -0000
@@ -1658,7 +1658,7 @@
   $form['security'] = array(
     '#type' => 'fieldset',
     '#title' => t('Security'),
-    '#description' => t('Because Drupal stores content in an unmodified form, it is necessary to perform additional security checks before FCKeditor renders the Html content for editing.') .' '. t('Without security filters, when you decide to edit an article which contains a malicious attack (like xss), that code will be rendered along with the html and therefore executed by your browser.') .' '. t('Before FCKeditor renders the content in its editor, it makes an AJAX call to check the node\'s textarea for which filters are checked below and are in the textarea\'s input format.') .' '. t('For example, if you\'re using a Filtered HTML input format and have checked the HTML filter below, it will be executed. However, if you edit node with Full HTML input format assigned, HTML filter will not be executed.') .' '. t('Most obvious is when using a custom module\'s security filter which allows html attributes but strips attribute xss when viewed, but FCKeditor will attempt to show original content when edited which could be malicious. Now same filter if checked below will run when edited to clean up content.'),    
+    '#description' => '<p>' . t("When Drupal saves user data input through a textarea, it's saved in the database in unmodified form. That's why all untrusted textarea input should be run through an input format filter before outputting it to the screen." . '</p>' .'<p>' . t("Drupal will not, however, filter data for administrator's editing a textarea. Normally, there is no security risk because the unmodified code is displayed as text and will not be rendered as HTML. But with FCKeditor installed, this is not the case, and administrator's are subject to having raw, untrusted code running inside their browsers.") . '</p>' . '<p>' . t("To address this issue, you should select a security filter below to prevent FCKeditor from rendering malicious code. Note that if a textarea's input format is set to \"Full HTML,\" FCKeditor will properly ignore the setting below and will not run the code through the security filter.") . '</p>' . '<p>' .  t("If any textareas on your site are accessible to unwanted users, we recommend checking the \"Filtered HTML\" filter. You may have other modules installed that provide other kinds of security filters and you may use those as long as you trust them to properly filter out malicious code. Note that not all the filters below are security filters and will provide no protection.") . '</p>',
     '#collapsible' => TRUE,
     '#collapsed' => TRUE
   );