When you say that HTML source editing is a security risk, do you mean that it allows ANY AND ALL HTML, including custom CSS and JavaScript, or that it is just an HTML version of the old BBCode where it filters unaccepted code out automatically? Because if it's the latter, is there a risk?