All security settings must be set in the server side. The Filter HTML code functionality in RTE allows you to accept HTML input from your users, filter it to make sure it contains only an allowed set of tags, attributes and values and then display it without leaving yourself open to XSS holes. RTE automatically detect the MIME type of the files you upload, and rejects the file if the file-extension does not match the mime type. What happen if someone renames .exe file extension as .jpg and uploads it to your server?
RTE also allows developers to assign a pre-defined set of permissions by group or individual. This prevents a normal user to access the administration functionality. The details of permissions are specified by an XML security policy file. Each level maps to a specific file. The default mappings:
You can customize and extend each policy file by editing the XML security policy file. You can also create your own policy files that define arbitrary permission sets. Comparison of the sample security policy file
Administrators Members Guest John (admin) Mary (sales) Tim (financial)
<RTE:Editor runat="server" ContentCss="example.css" Toolbar="minimal" ID="Editor1" />