HTML restriction

MediaWiki restricts the use of HTML by default. Only some HTML elements and attributes are allowed. Raw-HTML sections, surrounded by the "html" tag, can be enabled with the option $wgRawHtml. The code is available at includes/Sanitizer.php.

The Wikimedia Foundation's internal website allows full use of HTML. Their other websites (see complete list here) do not. A request to allow full use of HTML was rejected in 2005.

There are several extensions that allow for the inclusion of raw HTML. Here are the extensions that appear to be safe:
 * Extension:HTMLets - allows pre-defined HTML snippets with $wgRawHtml=false.
 * Extension:HTML Tags - allows for adding HTML from a set of tags and attributes defined in the wiki's settings.
 * Extension:Secure HTML - adds 'Secret key' protection for html sections.
 * Extension:Widgets - allows for defining HTML- and JavaScript-based "widgets", with optional parameters.

The following raw HTML extensions have been judged to be unsafe, and should not be used:
 * Extension:SecureHTML - allows HTML on protected pages only + namespace controls.
 * Extension:Secured HTML - defines a new "HTML" namespace with "coders" usergroup who can edit them.

The following raw HTML extensions appear to be safe, but are not currently maintained:
 * Extension:AddHTML - allows HTML on protected pages only.
 * Extension:RawMsg - allows HTML as stored in MediaWiki namespace only.