This is to create a new thread for an issue that was found in the Test Thread in ATMB.
This was in response to the following post:
Shouldn’t that be a bug? Passing unknown tags seems exploitable.
Yep, definitely exploitable. I managed to put in a page navigation item into my post. That is benign and I won’t try anything else. This needs to be fixed.
There are some things Discourse filters. I know I don’t know what they are. <script> tags for sure. <iframe> too it seems.
Thanks for the new thread.
I’m not up-to-date enough on web coding to know what’s actually dangerous anymore. And anyway, it needs to be reviewed on the code side.
I just get a bad feeling when the filter seems to be a blocklist rather than a passlist.
Agree that’s called “open-endedly dangerous”.
FYI, ecg’s quote of my post in the other thread that forms most of the OP here in this thread has had a bunch of my formatting content and properly escaped display-only html stripped out. It doesn’t alter the fundamental point of my post but it does make it seem like I was having a major brain attack while writing it.
I’m pretty sure this isn’t a bug, let alone a vulnerability. Discourse posts are written in a Markdown variant (extensions include limited BBCode support, link previews, etc.). Markdown itself allows the usage of inline HTML. Discourse’s Markdown sanitizer already uses a whitelist and purposely replaces unrecognized tags with whitespace.
ETA: For example, style attributes are sanitized but you can still post div elements aligned using the legacy HTML align attribute, which is on the whitelist:
<div align="center">Centered Text</div>
Centered Text
~Max
All I want is the <marquee> tag to work…
I’m sorry but the marquee has been Deprecated and Mocked relentlessly.
I miss it. 
<marquee> and <blink> are the two I want back. 