HTML restriction
MediaWiki restricts the use of HTML by default.
Only some HTML elements and attributes are allowed.
Raw-HTML sections, surrounded by the "html" tag, can be enabled with the configuration parameter $wgRawHtml.
The code is available at includes/parser/Sanitizer.php.
Wikimedia websites (see complete list here) do not allow full use of HTML. A request to allow full use of HTML was rejected in 2005.
There are several extensions that allow for the inclusion of raw HTML. Here are the extensions that appear to be safe:
| Extension | Status | Description |
|---|---|---|
| Extension:HTMLets | unmaintained | allows pre-defined HTML snippets with $wgRawHtml = false;
|
| Extension:HTML Tags | stable | allows for adding HTML from a set of tags and attributes defined in the wiki's settings |
| Extension:Secure HTML | unmaintained | adds 'Secret key' protection for html sections |
| Extension:SaferHTMLTag | stable, has known security vulnerability | prevents edition of pages that contain the <html> tag by unauthorized users and groups
|
| Extension:HTMLPurifier | beta | allows users to input raw HTML by using HTML Purifier to sanitize it |
| Extension:NamespaceHTML | unmaintained, has known security vulnerability | allows raw HTML in specified namespaces |
| Extension:Widgets | stable | allows for defining HTML- and JavaScript-based "widgets", with optional parameters |