Arbitrary HTML in posts

I would like to put arbitrary HTML in posts… I know this is probably a bit crazy. But I want to do it. How should I be thinking about this requirement?

An example would be a form such as this:

<form action="" method="post">

To include arbitrary HTML it needs to be whitelisted, trouble is that you do not want a global whitelist of everything cause you open yourself quite wide to arbitrary XSS attacks.

Can you work backwards, what are some examples of problems you are trying to solve?


Could it be allowed by trust level? Eg everyone at TL4 can post arbitrary html? That is how it works in drupal and I like it.

1 Like

Having the ability to post arbitrary HTML is equivalent to full admin rights… so no, neither TL4 users nor mods should have that ability, only full admins.


Agreed. Anything that might result in crashing the site, data loss, etc. should be solely in the hands of the Admin.

I’m ok with requiring full admin… Is this a proposal or is this actually
how it works?

It is a proposal, but it would be very complicated to add.


Though technically doable in a plugin, swinging this safely is excruciatingly difficult

Closing as highly not recommended

1 Like