Using the allowedContent settings, besides true (allow all content), it seems impractical to use it for Web Content and Blogs. We'd need to whitelist every element+attribute we'd want to allow. So for example, to support tables, we'd need to add something like: table[ 'border', 'cellpadding', cellspacing'], thead, tbody, tfoot, tr, th, td.
For more restrictive content like BBCode and Creole this may be fine. But for Web Content and Blogs, we provide a lot of features.
But maybe this is what we want? It would be safer, but I just think it'd be a pain to maintain and prone to misconfiguration.
4.4.0 added blacklisting (disallowedContent) and RegEx to the content filter rules. RegEx would make whitelisting easier. Or it seems like it would be easier to blacklist content we didn't want to allow. But is that a security no-no? Maybe we could use both? disallowedContent for Web Content and Blogs; and allowedContent for Wiki and Message Boards.
Also of note, extraAllowedContent used with ACF left in auto mode, we can create a minimal baseline of content, allowing the plugins, toolbars, etc. to handle the bulk of the defining parts. I don't know how much that really saves us though.
Points of interest
- on vs off by default
- toolbar vs config settings and ACF's effect on content. See: http://ckeditor.com/demo#acf