I'm proposing a technical fix and not a moderation fix.

It's not necessarily a purely security-oriented matter, either. While it does concern me that someone could come up and create hidden links to some malware host or embed this that or the other and we wouldn't catch it until someone were victimized, it probably concerns me more (from a realistic standpoint) that the current system allows an ignorant user to implement broken code and thus break the site (or a portion of it). I don't think a paradigm that puts HTML's superior customization options over the service continuity and ease of maintenance of the site is ultimately more sustainable than one that does the opposite. It's decidedly less so.

If you look at other forums (any that use vBulletin, for example), they're typically shortcode/RTE-based and don't allow any actual code from the user side. Thus, there's zero risk of a user breaking the site's usability. The worst that happens is some shortcode is mistyped and ends up not rendering the way the user wanted, so there are some formatting issues with his or her text. You don't get formatting cascading out of divs. You don't get people rewriting what links go where. You don't get people changing the background of this page or that.

But what you do get is a comparatively sterile environment. Which, I think, is where some kind of interface for page customization would come in. It's a conscious decision to make the site slightly less customizable in favor of making it much less breakable. And, looking at how most people use HTML around here, there's not much that we couldn't safely replicate. Maybe you lose a few options when it comes to the user page, but that's about it. And some forms of customization, such as font-size, are almost never applied without being intrusive. (And even font-size can be built into the shortcode and left out of name customization.)

If I could trust that users will implement code correctly, then I'd be concerned mostly with the risk of some random and infrequent attack. But I can't trust that users will implement code correctly. I don't think anyone can really substantiate the position that we should, given how often someone breaks something somewhere and somehow (and not necessarily maliciously). Hell, I'm still educating people every other day (at best) on the enormous banner that tells people where to post rules questions.

Your points stand up well enough on their own, you don't need to give me your resume. And you're right, I cannot contest the risk involved with the current system here. I mean anyone can register for free and get a variety of scripts running from any number of pages on your servers. That's terrifying. If you asked me how to make this site as operationally secure as possible I would likely advise exactly what you are. Hell, I wouldn't even allow custom background images.

But I'm not being asked how to make the website more secure. I'm giving my opinion in regards to what I value out of it. I'm not claiming I have the rights to anything, it's not my site, I just use it.

I consider my argument meritorious if we're discussing the website as it serves its community; if your wish is to best serve the community you have to consider what those users want. Now, you've countered and said that a more secure platform better serves the community, and that those who really use the customization options are in a minority, I would say that's fair and worth my considering. Although kinda silly, because it's not up to me.

Part of risk assessment is evaluating how much it would cost to fix vs how much you stand to lose. That includes the time and money it would take for yeaGO to write/buy/implement the changes being proposed and the functionality lost and how it impacts the users. For the moment I see the risk as not outweighing the benefits and cost to correct it.

I'm more sympathetic to your position than I may be coming off. If I may offer my own resume I'm a contractor that services every data system under the sun, mostly for public schools that have enormous liability issues. I manage wireless networks, program switches, consult on, install, and maintain every kind of security system from burglary to fire to network, phone and voicemail systems and I even do run-on sentences that arbitrarily miss Oxford commas. But here I'm just a member of the community telling you what I value about this community.

And I appreciate that perspective. But I don't think that an evaluation of what the community values should consider only what a portion of the community does. If I didn't care about making the site better for the community, I wouldn't lobby for a customization system to replace any code prohibitions. The trick, I think, is in finding an appropriate balance between the site's customization options and its technical stability.

And maybe it's my experience with DR and business continuity that tells me that users always being able to break a page is not a good practice. But I think that an interface of some kind would be more useful to more people. Again, I go back to the question of how many people ask how to write code but know nothing about what it means or how it's implemented? How many ask someone else to teach them HTML? Because we have so many nontechnical users, I think a simplified system would help reduce misuse.

Now there's an argument I like, that a customization interface would make it more accessible to more people. As it is now there's certainly a bit of a hump. I had next to no experience with HTML and none at all with CSS until maybe two months ago when I decided to tackle my own user page, and before I went ahead and made one there was no resource describing how to do it.

It took a bit of digging around source code and a lot of googling and reading other tutorials to piece it together. But I've been scripting since I was 8 and it may not be fair to assume that everyone's willing to do all that, I think back to some of the trouble tickets I saw when I was in desktop support and I know some people and computers don't mix. I'm taking for granted that a community based around MTG might be a hair more computer savvy than a group of 60 something secretaries who believe a tiny gap between drive bay blanks on their tower is their optical drive.

Not being the guy that has to clean up after the mess I have no concept of how often the mess occurs. So far my sum experience is 1 problem in over a year, which was deliberate and caused by a bug. Even once a week or so doesn't seem that big a deal if they just break their own pages, though breaking the site is another story.

So getting back that balance, I've already laid out where I think that balance is, but if I had to tip the balance a bit further towards your side... I'm thinking something like you describe, a UI with inputs, but with an advanced tab that takes you straight to a style sheet for your page that's already linked to it. Style sheets aren't the devil, only being able to affect style fields they aren't going to break anything catastrophically or accidentally. A malicious user might make their upvote button invisible and the size of the screen, but that'll be pretty obvious and it's not like there's any lasting damage done. Whitelist a few innocuous tags (I use nav-pills a lot, for example, and ordered/unordered lists don't work in accordions without html) and leave the rest up to markdown.

That would give everyone the basic customization options so the less script savvy among us can mix things up without risk, and the rest of us can maintain that same level of control we have now. Hell, make the advanced/CSS option upgraded user only if you want, give people that much more incentive to upgrade.

Of course, that's an enormous amount of work. I'm not unhappy with things as they are now, but if I had to change it I wouldn't throw too big of a fit if that's what we did.

I also want to point out another thing that wasn't mentioned. By allowing the site the be manipulated and altered against the common user's will, we present an environment to the common user that is unstable and unreliable. The site evokes negative connotations to the user if things go against what they expect without any clarification or notification about those things. I equate the fiddling around with code on this site to the equivalent of users posting porn on a pg-13 site and having the admins do nothing about it. Both of these issues are reason enough for users to leave the site for something that is more stable and more reliable.

We get the complaints time and time again that "this isn't myspace", and guess what, those are legitimate concerns. Having this site continue a feature that makes it lose potential customers instead of gain them is not a good idea and goes against a successful business model. We want to make this site more popular so yeago can get more of an income out of it and be able to work on this site more. At the moment, far more users are turned off by the coding on this site (hell, a lot of them really don't like the names and wish everyone would stay with blue names) then there are users who enjoy it. Appealing to the majority's opinion is important in continuing a successful business, no matter what that business is.

Of course you have to service the majority, but you must be careful not to serve a vocal minority. "We get complaints..." is anecdotal, and unless there's been some poll I'm not aware of, argument from small numbers. People are far more likely to complain about something they dislike than praise something they enjoy, typically at about a 4:1 ratio, so that some users complain about some decks or user pages is by no means indicative that the feature is having a negative impact.

I can only go by what I see, and I see very few people complaining about deck/user pages or names. I can count those users on my hands and I doubt I'd need my toes. On the other hand I see many, many people embracing page and name customization. In this thread alone I see 11 custom names and 5 significantly modified user pages out of, I think 14 different users? And that's not counting some of the more sophisticated spoiler/header/linking/hr stuff on some pages like Epochalyptik and tempest's.

These are my own small numbers, but at least it's not an anecdote. I'm willing to accept that a majority of users may not be equipped to use HTML with the utmost care and consideration for TappedOut, I'm not so willing to buy that a majority of users take issue with customized deck and user pages without some hard evidence to indicate it.