I've been struggling with the problem of cross site scripting in AMI. The way it's designed now, users can enter HTML in all its glory, including scripts. Some other user can view that document and there's where the XSS vulnerability lies. Maybe one can try not to be evil but one must assume everyone else is.

Thinking about how I really use AMI I realized I don't really need to be able to enter HTML. It was just an easy way for me to provide visual formatting. Really though the kind of information I record is more appropriately stored in attributes rather than the document text. I just need to make it easier to use attributes.

If everything is stored in attributes, AMI becomes much more of a semantic repository and not so much a document repository.