Arbitrary HTML in posts

miko_matsumura · March 4, 2015, 2:23am

I would like to put arbitrary HTML in posts… I know this is probably a bit crazy. But I want to do it. How should I be thinking about this requirement?

An example would be a form such as this:

<form action="http://www2.gradleware.com/l/68052/2015-01-22/qgt" method="post">

sam · March 4, 2015, 2:35am

To include arbitrary HTML it needs to be whitelisted, trouble is that you do not want a global whitelist of everything cause you open yourself quite wide to arbitrary XSS attacks.

Can you work backwards, what are some examples of problems you are trying to solve?

tobiaseigen · March 4, 2015, 1:50pm

Could it be allowed by trust level? Eg everyone at TL4 can post arbitrary html? That is how it works in drupal and I like it.

elberet · March 4, 2015, 2:50pm

Having the ability to post arbitrary HTML is equivalent to full admin rights… so no, neither TL4 users nor mods should have that ability, only full admins.

Mittineague · March 4, 2015, 3:29pm

Agreed. Anything that might result in crashing the site, data loss, etc. should be solely in the hands of the Admin.

miko_matsumura · March 4, 2015, 5:45pm

I’m ok with requiring full admin… Is this a proposal or is this actually
how it works?

sam · March 4, 2015, 10:20pm

It is a proposal, but it would be very complicated to add.

sam · September 16, 2018, 10:00pm

Though technically doable in a plugin, swinging this safely is excruciatingly difficult

Closing as highly not recommended

Topic		Replies	Views
Embedding HTML inside posts by Admin support	6	3141	May 12, 2019
How to insert custom HTML between posts support	5	858	February 9, 2021
Can anyone enable HTML & iFrames within admin posts on my Discourse installation? marketplace	1	1162	August 3, 2015
Restrict what can be in a userfield support	4	377	August 7, 2022
Admins can accidentally create uncategorized topics without meaning to feature	9	2218	July 28, 2016

Arbitrary HTML in posts

Related Topics