How to disable posting HTML

Question

How to disable posting HTML

asked Aug 31, 2015 in Q2A Core by SN

I am using the Markdown editor and it seems that users on my site are able to post HTML in questions, comments, and answers. Is that a normal behaviour ? Isn't it dangerous (XSS hacks) ? How can I disable it ?

Note that I don't want to use the "Basic Editor".

On yourwebsite.com/admin/posting I don't see any option to disable the usage of HTML for answers/comments/questions. There is just an option that enable/disable a customized HTML message for answers/comments/questions. This is not what I want.

EDIT: how it comes that on this web site if I do <h1>test</h1> it will not appear as a big h1 text ? How did you disabled HTML on this site ?

Q2A version: 1.7

related to an answer for: Disable HTML for users

1 Answer

Scott · Answer 1 · 2015-09-01T06:51:29+0000

No, posting HTML in the Markdown editor is not dangerous as it is sanitised (both by the Markdown editor and by Q2A itself). <script> tags and most HTML attributes are removed. As far as I know there is no way to use Markdown but disallow HTML, the Markdown spec includes the ability to use HTML.

As for your edit, on this site we use the CKEditor plugin, which is a "WYSIWYG" (What You See Is What You Get) editor. So when you type <h1> into here it encodes the <> characters.

However you can still use headings from the drop down menus:

How to disable posting HTML

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Like this.

Please log in or register to add a comment.

Categories

How to disable posting HTML

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Like this.

Please log in or register to add a comment.

Related questions

Categories