Arbitrary HTML in posts


(Miko Matsumura) #1

I would like to put arbitrary HTML in posts… I know this is probably a bit crazy. But I want to do it. How should I be thinking about this requirement?

An example would be a form such as this:

<form action="http://www2.gradleware.com/l/68052/2015-01-22/qgt" method="post">

(Sam Saffron) #2

To include arbitrary HTML it needs to be whitelisted, trouble is that you do not want a global whitelist of everything cause you open yourself quite wide to arbitrary XSS attacks.

Can you work backwards, what are some examples of problems you are trying to solve?


(Tobias Eigen) #3

Could it be allowed by trust level? Eg everyone at TL4 can post arbitrary html? That is how it works in drupal and I like it.


(Jens Maier) #4

Having the ability to post arbitrary HTML is equivalent to full admin rights… so no, neither TL4 users nor mods should have that ability, only full admins.


(Mittineague) #5

Agreed. Anything that might result in crashing the site, data loss, etc. should be solely in the hands of the Admin.


(Miko Matsumura) #6

I’m ok with requiring full admin… Is this a proposal or is this actually
how it works?


(Sam Saffron) #7

It is a proposal, but it would be very complicated to add.


(system) #8

(Sam Saffron) #9

Though technically doable in a plugin, swinging this safely is excruciatingly difficult

Closing as highly not recommended


(Sam Saffron) #10