Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.

How to disable posting HTML

0 votes
228 views
asked Aug 31, 2015 in Q2A Core by SN

I am using the Markdown editor and it seems that users on my site are able to post HTML in questions, comments, and answers. Is that a normal behaviour ? Isn't it dangerous (XSS hacks) ? How can I disable it ?

Note that I don't want to use the "Basic Editor".

On yourwebsite.com/admin/posting  I don't see any option to disable the usage of HTML for answers/comments/questions. There is just an option that enable/disable a customized HTML message for answers/comments/questions. This is not what I want.

EDIT: how it comes that on this web site if I do <h1>test</h1> it will not appear as a big h1 text ? How did you disabled HTML on this site ?

 

Q2A version: 1.7
related to an answer for: Disable HTML for users

1 Answer

0 votes
answered Sep 1, 2015 by Scott

No, posting HTML in the Markdown editor is not dangerous as it is sanitised (both by the Markdown editor and by Q2A itself). <script> tags and most HTML attributes are removed. As far as I know there is no way to use Markdown but disallow HTML, the Markdown spec includes the ability to use HTML.

As for your edit, on this site we use the CKEditor plugin, which is a "WYSIWYG" (What You See Is What You Get) editor. So when you type <h1> into here it encodes the <> characters.

However you can still use headings from the drop down menus:

Like this.

...