I would even venture to say that it's a terrible idea. If you want phpbb 3 to be as user friendly and secure as possible, make Flash disabled
by default for "Standard" access when setting up permissions. Newer users might overlook this option and allow Flash to all users.
I honestly found it a big hassle while installing RC1 to have to manually edit every single permission on every single forum to remove the Flash option for standard users. Allowing Flash videos seems like a potential disaster area waiting to happen.
A user posts in a thread with many pages, waits a few days then edits his post with a 1x1 pixel flash movie that has a looping offensive sound. It will take a while to track down the problem since the source of the problem isn't visible at a glance. Allowing Flash by default allows users to post any kind of audio they want onto any page of your forum.
A user posts a Flash movie with an auto-redirect. Maybe it's a spam posting a redirect to a spam site (A spammer can guarantee your site gets ACTUAL hits? That's a PERFECT incentive for site spam!). Maybe it's a redirect to a porn site to annoy admins. The main problem is that you need to view a thread to delete it.
If there's an instant redirect then an admin wont have time to hit the delete button inside the thread. If an admin doesn't know how to make his browser stop displaying Flash then you can't delete the thread without going into the database!
Which leads us to our third option:
A scammer posts a 1x1 Flash movie that has an instant auto-redirect to a phishing site. The site looks exactly like the forum except it's hosted on the scammer's webspace. Phishing site asks user to log in with name and password. User says "ok, maybe my cookie expired or something." User logs in, gives pass to scammer. Site redirects back to forum, user never notices a change. Boom: account hijacked. Boom: moderator account stolen. Boom: a stupid admin just gave up the entire forum.
The third is exactly what happened to Myspace: http://chaseandsam.com/2006/07/myspace- ... dfire.html
(among hundreds of other security holes). A flash redirect stole hundreds of account login information. Certainly phpbb 3 is more secure than the black hole of stupidness that is Myspace, right?
How plausible are these possibilities? 100% guarantee they will happen if Flash is left on by default. Do you know how easy it is to create a redirecting Flash movie? It's just one line of code, compile, upload, done.
It seems like the main reason that a Flash tag was included was to allow for Google and YouTube video embeds. phpBB 2 already had a Flash embed feature, which was allowing HTML for admins (and maybe mods). That worked great because usually only Admins could post HTML, and admins are the only ones who should be allowed to embed SWF files. Now, if I were on the design team, I would 100% include YouTube
and Google Video
BBcode tags by default. It is my estimate that quickreply and YouTube embed mods are the most commonly used mods in phpBB forums. It looks like the Flash tag was added for that very reason, but that's a huge no-no in terms of security. If you really want to please the users by allowing Flash embeds, then make default Google and YouTube tags. There is no security problem with that. You could even make it an extension of the Flash tag, like [Flash=youtube]youtubeID[/Flash]. I'm sure that users would be ecstatic for those tags by default. The perfect solution would be a video tag generator panel in the ACP so that an admin can just put in the syntax of a movie site's URL and it will format new BBcode automatically, but I'm getting ahead of myself.
And that's all I have to say about that.
On a related note, still no quickreply in the default instillation? Come on guys, I can't name a single forum that I frequent (and there are quite a few) that doesn't have a quickreply mod. What possible reason could you have for not including this? (or am I missing it maybe?)