Arbitrary HTML in posts

miko_matsumura · March 4, 2015, 2:23am

I would like to put arbitrary HTML in posts… I know this is probably a bit crazy. But I want to do it. How should I be thinking about this requirement?

An example would be a form such as this:

<form action="http://www2.gradleware.com/l/68052/2015-01-22/qgt" method="post">

sam · March 4, 2015, 2:35am

To include arbitrary HTML it needs to be whitelisted, trouble is that you do not want a global whitelist of everything cause you open yourself quite wide to arbitrary XSS attacks.

Can you work backwards, what are some examples of problems you are trying to solve?

tobiaseigen · March 4, 2015, 1:50pm

Could it be allowed by trust level? Eg everyone at TL4 can post arbitrary html? That is how it works in drupal and I like it.

elberet · March 4, 2015, 2:50pm

Having the ability to post arbitrary HTML is equivalent to full admin rights… so no, neither TL4 users nor mods should have that ability, only full admins.

Mittineague · March 4, 2015, 3:29pm

Agreed. Anything that might result in crashing the site, data loss, etc. should be solely in the hands of the Admin.

miko_matsumura · March 4, 2015, 5:45pm

I’m ok with requiring full admin… Is this a proposal or is this actually
how it works?

sam · March 4, 2015, 10:20pm

It is a proposal, but it would be very complicated to add.

sam · September 16, 2018, 10:00pm

Though technically doable in a plugin, swinging this safely is excruciatingly difficult

Closing as highly not recommended

Topic		Replies	Views
Embedding HTML inside posts by Admin Support	6	3224	May 12, 2019
How to insert custom HTML between posts Support	5	971	February 9, 2021
Can anyone enable HTML & iFrames within admin posts on my Discourse installation? Marketplace	1	1196	August 3, 2015
Restrict what can be in a userfield Support	4	437	August 7, 2022
Guidance whitelisting arbitrary HTML attributes? Support	10	1474	January 12, 2023

Arbitrary HTML in posts

Related topics