I understand that by allowing an HTML editor, there is always the risk for javascript/iframe etc injection. However is there anyway to at least reduce it? I mean is it possible to disable the < > tags while the "Source" mode is not used? That way I can just take out the "Source" toolbar for normal users and preseve it for admins only. Right now it seems even when "Source" is not pressed, any HTML tags entered in the text window still works.

I checked my FCKConfig.js and the following lines are already there:

FCKConfig.ProtectedSource.Add( /<script[\s\S]*?\/script>/gi ) ; // <SCRIPT> tags.
FCKConfig.ProtectedSource.Add( /<%[\s\S]*?%>/g ) ; // ASP style server side code <%...%>
FCKConfig.ProtectedSource.Add( /<\?[\s\S]*?\?>/g ) ; // PHP style server side code <?...?>
FCKConfig.ProtectedSource.Add( /(<asp:[^\>]+>[\s|\S]*?<\/asp:[^\>]+>)|(<asp:[^\>]+\/>)/gi ) ; // ASP.Net style tags <asp:control>
FCKConfig.ProtectedSource.Add( /<iframe>[\s\S]*?<\/iframe>/g ) ;
FCKConfig.ProtectedSource.Add( /<html>[\s\S]*?<\/html>/g ) ;
FCKConfig.ProtectedSource.Add( /<script[^\>]+>[\s\S]*?<\/script>/g ) ;
FCKConfig.ProtectedSource.Add( /<code>[\s\S]*?<\/code>/g ) ;

Are these supposed rules to filter out the tags? But script tags and iframe tags still work in my editor. Is there some option that I need to turn on to enforce these rules?

No the lines had always been there, untouched. But are those rules actually set to prevent the script and iframe tags from being rendered by the browser (which is what I want to do)? Basically I do not want an end user using FCKeditor to be able to use "script" and "iframe" tags. I want to prevent someone from loading malicious scripts/websites that can harm other people's computers.