This topic has been resolved by the Discourse Team. I’m leaving the original topic up for archival purposes, but this has been resolved by @Roman_Rizzi and the team.
I recently rebuilt Discourse to update my SMTP settings and my global notice’s HTML tags are now rendered out.
This is what it looks like with the tags:
Welcome to the NEW Real Racin' USA Motor Sports Forums!
Your prayers and wishes have been answered.
We've prepared a faster, newer, and easier-to-use forum experience for you, copying everything over from the old forum into this one. All of your topics, posts, and user profiles have remained intact, just as you left them!
Please read our "I Want My Account Back!" post for instructions on how to get back into your account.
Now that the dust has mostly settled, we're still checking this forum to ensure it is working properly for everyone.
Hm, just my 2 cents but the 2 have very different purpose.
Global banner is there for a purpose, i.e., when I want to notify the forum about an important topic. If a user has closed the banner this setting stays and they can’t see an update that would otherwise be visible with a global notice.
Yes, we decided to keep the setting because we know how useful it is to a non-dismissable banner during an urgent situation, but allowing unsanitized HTML could be potentially dangerous.
If someone has permissions to set a global notice, then they’re permitted to create a theme component as well? So there is no extra attack vector here?
To be clear, we don’t consider this to be a security issue as only admins can update this setting. It’s part of an ongoing effort to disallow HTML in site settings and use other tools designed to support this.
Let me lay out a case for allowing HTML. I’m working with a client who is starting a forum for investors.(Closed beta started yesterday, as it happens.) Their legal team insists on a disclaimer. It must:
Be prominently displayed on every page of the forums.
For an example (not the site I’m working with, but in the same space), see the disclaimer on Freetrade. It’s important to note that legal doesn’t care whether the notice includes HTML. They just want to see that it’s there and that users can’t claim they didn’t see it.
Unfortunately the notice is something of an eyesore because it’s a big block of text. Thankfully, legal is ok with a smaller font and using a link to the full disclaimer. The team submitted copy to legal last week that included a link to the disclaimer. This week we discovered HTML is not allowed in a global notice anymore. So that’s fun.
Meanwhile, if we were using this for the intended purpose (“URGENT, EMERGENCY, non-dismissible global banner notice to all visitors”) wouldn’t it be handy to have a way to link to a status page or other place to learn more?
It really isn’t “any other user input” though, is it? It’s a site setting that only a handful of people can change. From the perspective of the site owners, this isn’t user input, but part of the interface provided to users.[2]
Is there an explanation of the reasoning somewhere? If y’all are working on another tool to support non-dismissable global banners which allow links,[3] it would be helpful to know when it will be ready. I’d rather avoid having to set up a customization if possible.
I apologize if I come off a little cranky. We didn’t know that this change was coming and it puts us in an awkward place. The community was going to be opened up to a larger audience next week and this change throws a wrench in the works.
I can see an argument that this is misusing the feature. But if we were to build this feature ourselves, it would function exactly like a global notice. ↩︎
I understand that from Discourse’s point of view admins are users. It just sorta feels like the wrong way to think about it in this case. ↩︎
My initial reasoning for this is for further protection of database entries, mainly because of encoding issues with an old forum I used.
Emojis on the forum were converted to &# format and when quoted, would cause “Invalid byte sequence in utf-8” errors upon conversion, and the forum displays the emojis as � symbols.
I thought the same might could occur with HTML tags in a future update, causing database issues and rendering all communities as inoperable.
Someone who knows the code better could probably reassure that this probably won’t happen because of the several checks each fix goes through before heading to the main branch for download/update. The Discourse Team strives to keep the system as a self-contained, problem-free, 1-click solution for everyone wanting a community online, and they’ve done well at doing so!
Nevertheless, my simple fix has sufficed for now until a new solution is published. It’s also nice to have less clutter on the screen since you can dismiss banner topics.