Movable Type Knowledge Base: Allow HTML in Comments

Question

I'd like my visitors to be able to use HTML when posting comments.

Answer

Enable option for weblog

Navigate to Settings > Feedback : Comments¹.
Locate the setting for Allow HTML² and check the box to the left to turn the setting on.
Press the SAVE button to preserve the change.

Limit HTML Tags

The Sanitize feature protects your weblog from malicious code by permitting only certain HTML tags to be used in comments and TrackBack pings. The default set of allowed HTML tags and attributes is:

a href, b, br, p, strong, em, ul, li, blockquote

You can override this setting globally by setting the GlobalSanitizeSpec setting in the mt-config.cgi³ file; and you can override it on a per-weblog basis in your weblog configuration. Note: Unless you know what you're doing, it is recommended that you stick with the defaults.

Override the setting globally

Download mt-config.cgi from your server in ASCII mode, then open it in a plain text editor.
Look for this setting:
```
# GlobalSanitizeSpec br/,p
```
Uncomment the setting⁴, then update the line to reflect the HTML tags you wish to permit. For example, if you wanted to retain all the default settings, but also allow the <u> tag, your setting would look like this:
```
GlobalSanitizeSpec a href,b,br/,p,strong,em,ul,li,blockquote,u
```
Once you've updated the line, save mt-config.cgi, then upload it back to your server in ASCII mode.

Override the setting on a per weblog basis

Navigate to Settings > General : Default Weblog Display Settings⁵.
Locate the setting for Limit HTML Tags⁶ and select the radio button to the left of Use my settings.
In the field to the right of the setting, enter all the tags you wish to allow. For example, if you wanted to retain all the default settings, but also allow the <u> tag, you would enter this string in the field:
```
a href,b,br/,p,strong,em,ul,li,blockquote,u
```
Press the SAVE button to preserve the change.

Your visitors should now be able to use HTML when posting comments, subject to the limits you've imposed by your designated settings.

¹ In versions prior to 3.2, navigate to Weblog Configuration > Preferences : Comment Configuration.

² In versions prior to 3.2, the setting is named Allow HTML in Comments.

³ In versions prior to 3.2, the configuration file is named mt.cfg.

⁴ To uncomment a setting means to remove the # from the beginning of the line where it appears.

⁵ In versions prior to 3.2, navigate to Weblog Configuration > Preferences : General Settings.

⁶ In versions prior to 3.2, the setting is named Sanitize Spec.

Submit Feedback on This Article

Your comments on how we can improve this article are appreciated; but please do not use the feedback form to submit support requests or questions. We will not respond to or publish such queries submitted through this form. If you have a technical question or problem, visit Movable Type Support.

Name:

Email Address:

URL:

Remember personal info?

Comments: (you may use HTML tags for style)

Comments will be moderated and may appear on this page or be incorporated into future versions of this document. For full details, see our Terms of Service.

Comments

If you want your comments formatted using the Convert Line Breaks setting, you must allow the p and br/ tags in your list of allowed HTML tags.

Otherwise, the paragraphs and line breaks that Convert Line Breaks puts in will be removed by the sanitization.

Ed. Note (03.15.06): This has been designated as a bug; Text Formatting should be executed after unwanted HTML tags are removed; not before. See Limit HTML Tags Overrides Convert Breaks Text Formatting in Known Issues.

Ed. Note (06.26.06): The status of this behavior has now been changed to "intended by design". Text Formatting options (whether native or introduced by the use of a plugin) should not be allowed to introduce tags which have been explicitly banned by the weblog administrator. So, Sanitize must be applied last in order to maintain the protection it is meant to provide.

Posted by: Phil Gyford | March 13, 2006 07:28 AM