Documentation has fallen behind a bit. There appear now to be five levels of HTML: 1) "Default permissions" - has a list of about 20 HTML tags, most of which appear to match up to the minimal installation of the TMC Editor. Use of the HTML editor to place HTML tags while writing a new post generates the "Invalid HTML" error trap, and the tags are typically turned into text equivalents (e.g., ">"). However, writing a post in the RTE, then opening it in the HTML editor, allows manipulation of default HTML tags. This behavior is sometimes hard to predict. 2) "Simple HTML" - adds the IMG tag with attributes. We set this permission to "Deny" for basic users, given that our community began almost exclusively as a support community for end-users. I have wondered if the unpredictable behavior around the default tag set has anything to do with this setting. 3) "Use HTML which can embed third party content" - Not documented. This really needs to be fully documented. Use of tags like <EMBED>, <OBJECT>,<IFRAME> etc., opens major security risks like cross-site scripting. Even with algorithms built into today's browsers that detect and suppress cross-site scripting, one can hardly be too careful. While the TMC Editor suppresses JavaScript, there's plenty of other malicious content that can be embedded into a post, even if it isn't dynamic. 4) "Advanced HTML" - thanks to CarolineS for the reminder. How is this different from the "embed third party content" version? 5) "Full HTML" - Trying to figure out how this is different from the previous two items. Since it isn't documented in https://community.lithium.com/t5/Roles-and-permissions/Allowed-HTML-Tags/ta-p/57476, it's not obvious what is the difference. So the major question is, Why is 3 defaulted to "Grant", while 4 is defaulted to "Deny"? A corollary question is, Why does the HTML editor even appear on discussion boards, when use of Simple HTML is denied for forums?
... View more
