HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Allow html code in comments

How can i allow code like this

<div style="background-color:blue;color:white;padding:20px"> Some text</div>

In previous vanilla we had a plugion htmlLawed. But that does not work anymore on versions 3.3

Please advice



  • LincLinc Detroit Admin
    edited September 2020

    It's a security flaw to allow that, because you can then maliciously use the style to obscure or replace other parts of the page.

  • I know that. I want to know how to enable it not why it is turned off.

  • if i am the administrator i should be able to add this kind of code.

  • RMonsenRMonsen New
    edited September 2020

    I assume you are using the Advanced editor here, since the rich editor doesn't allow you to type html at all.

    The advanced editor cleans the html using client-side javascript, you can edit the plugins/editor/js/advanced.js to set up whitelisting for what you want to allow.

    editor.js also have an example at the bottom how to hook into the custom parse event, which is a better approach than editing advanced.js directly.

    I had the same need as you, so this is what I found myself when digging through the files, maybe there is a better option. I am no expert here, I just figured this out a few days ago.

    I don't know how to turn the filtering completely off, I have only experimented with the whitelisting in those files.

    In addition, the core class library/core/class.vanillahtmlformatter.php cleans the style tags from the tags serverside before displaying the content, see line 214.

    Keep in mind what Linc said though, security isn't something you should take lightly.

Sign In or Register to comment.