No HTML in global notice

This topic has been resolved by the Discourse Team. I’m leaving the original topic up for archival purposes, but this has been resolved by @Roman_Rizzi and the team.

I recently rebuilt Discourse to update my SMTP settings and my global notice’s HTML tags are now rendered out.

This is what it looks like with the tags:

Welcome to the NEW Real Racin' USA Motor Sports Forums!

---

Your prayers and wishes have been answered.

We've prepared a faster, newer, and easier-to-use forum experience for you, copying everything over from the old forum into this one. All of your topics, posts, and user profiles have remained intact, just as you left them!

Please read our "I Want My Account Back!" post for instructions on how to get back into your account.

Now that the dust has mostly settled, we're still checking this forum to ensure it is working properly for everyone.

For all updates on the forum and to get assistance, visit the Sunshine State Racing Facebook page.

But after the rebuild, I get this:

image1135×158 13.5 KB

Found some changes to global notices in a recent commit disabling this.

So, is there any way to include links in global notices now?

My alternative was to make a post and pin it as a banner topic.

Yes, we no longer allow the global notice site setting to contain HTML, only plain text. We chose to treat it as any other user input and sanitize it.

As mentioned above, the workaround would be to use a banner topic instead.

That’s too bad, that was really useful.

Thanks for clarifying.

Hm, just my 2 cents but the 2 have very different purpose.

Global banner is there for a purpose, i.e., when I want to notify the forum about an important topic. If a user has closed the banner this setting stays and they can’t see an update that would otherwise be visible with a global notice.

Yes, we decided to keep the setting because we know how useful it is to a non-dismissable banner during an urgent situation, but allowing unsanitized HTML could be potentially dangerous.

If someone has permissions to set a global notice, then they’re permitted to create a theme component as well? So there is no extra attack vector here?

To be clear, we don’t consider this to be a security issue as only admins can update this setting. It’s part of an ongoing effort to disallow HTML in site settings and use other tools designed to support this.

Let me lay out a case for allowing HTML. I’m working with a client who is starting a forum for investors.(Closed beta started yesterday, as it happens.) Their legal team insists on a disclaimer. It must:

• Be prominently displayed on every page of the forums.
• Not be dismissable.

In other words, a global notice.[^1]

For an example (not the site I’m working with, but in the same space), see the disclaimer on Freetrade. It’s important to note that legal doesn’t care whether the notice includes HTML. They just want to see that it’s there and that users can’t claim they didn’t see it.

Unfortunately the notice is something of an eyesore because it’s a big block of text. Thankfully, legal is ok with a smaller font and using a link to the full disclaimer. The team submitted copy to legal last week that included a link to the disclaimer. This week we discovered HTML is not allowed in a global notice anymore. So that’s fun.

Meanwhile, if we were using this for the intended purpose (“URGENT, EMERGENCY, non-dismissible global banner notice to all visitors”) wouldn’t it be handy to have a way to link to a status page or other place to learn more?

It really isn’t “any other user input” though, is it? It’s a site setting that only a handful of people can change. From the perspective of the site owners, this isn’t user input, but part of the interface provided to users.[^2]

Is there an explanation of the reasoning somewhere? If y’all are working on another tool to support non-dismissable global banners which allow links,[^3] it would be helpful to know when it will be ready. I’d rather avoid having to set up a customization if possible.

I apologize if I come off a little cranky. We didn’t know that this change was coming and it puts us in an awkward place. The community was going to be opened up to a larger audience next week and this change throws a wrench in the works.

[^1]: I can see an argument that this is misusing the feature. But if we were to build this feature ourselves, it would function exactly like a global notice.

[^2]: I understand that from Discourse’s point of view admins are users. It just sorta feels like the wrong way to think about it in this case.

[^3]: And also styling, but that’s secondary.

My initial reasoning for this is for further protection of database entries, mainly because of encoding issues with an old forum I used.

Emojis on the forum were converted to &# format and when quoted, would cause “Invalid byte sequence in utf-8” errors upon conversion, and the forum displays the emojis as � symbols.

I thought the same might could occur with HTML tags in a future update, causing database issues and rendering all communities as inoperable.

Someone who knows the code better could probably reassure that this probably won’t happen because of the several checks each fix goes through before heading to the main branch for download/update. The Discourse Team strives to keep the system as a self-contained, problem-free, 1-click solution for everyone wanting a community online, and they’ve done well at doing so!

Nevertheless, my simple fix has sufficed for now until a new solution is published. It’s also nice to have less clutter on the screen since you can dismiss banner topics.

Apologies for the inconvenience. For creating a non-dismissable banner, please take a look at this theme component:

It’s far more powerful and customizable than the global notice.

We have re-enabled HTML support on the global notice setting. We want to figure a better way to guarantee a smooth transition.

In the description below the global notice field, you might put:

“HTML support will be removed in a future version”

Also when it was disabled, the description still said “HTML allowed”.

@Roman_Rizzi When is the release with the global notice going out?

We discussed about this and we decided to keep the HTML support for the global notice setting, so it’s not going out anytime soon.

What am I missing then? How come that it’s not working on our forum?

Upgrade your Discourse. It was re-enabled a few days ago so perform an upgrade and it should be resolved.

Thnx for the super speedy reply! Just upgraded, still doesn’t work (HTML is showing).