HTML restriction
MediaWiki restricts the use of HTML by default.
Only some HTML elements and attributes are allowed.
Raw-HTML sections, surrounded by the "html" tag, can be enabled with the configuration parameter $wgRawHtml
.
The code is available at includes/parser/Sanitizer.php.
Wikimedia websites (see complete list here) do not allow full use of HTML. A request to allow full use of HTML was rejected in 2005.
There are several extensions that allow for the inclusion of raw HTML. Here are the extensions that appear to be safe:
Extension | Status | Description |
---|---|---|
Extension:HTMLets | unmaintained | allows pre-defined HTML snippets with $wgRawHtml = false;
|
Extension:HTML Tags | stable | allows for adding HTML from a set of tags and attributes defined in the wiki's settings |
Extension:Secure HTML | unmaintained | adds 'Secret key' protection for html sections |
Extension:SaferHTMLTag | stable, has known security vulnerability | prevents editing of pages that contain the <html> tag by unauthorized users and groups
|
Extension:HTMLPurifier | beta | allows users to input raw HTML by using HTML Purifier to sanitize it |
Extension:Widgets | stable | allows for defining HTML- and JavaScript-based "widgets", with optional parameters |
Extension:HTMLTemplates | experimental | Creates a new HTMLTemplate namespace like normal templates except written in html. Parameters are automatically escaped in a context sensitive manner |