We sometimes get clients who want to set up basic javascript functionality in CMS-managed content.
For example, people may want to put an onclick handler on an A tag. Currently the WYSIWYG editor strips them out.
What are the risks of failing to strip out onclick events from content entered into the CMS?