diff --git a/src/Toolbox.php b/src/Toolbox.php
index e1ee3d690d6..6e9878251ff 100644
--- a/src/Toolbox.php
+++ b/src/Toolbox.php
@@ -311,9 +311,33 @@ public static function unclean_cross_side_scripting_deep($value)
*/
public static function getHtmLawedSafeConfig(): array
{
+ $forbidden_elements = [
+ 'script',
+
+ // header elements used to link external resources
+ 'link',
+ 'meta',
+
+ // elements used to embed potential malicious external application
+ 'applet',
+ 'canvas',
+ 'embed',
+ 'object',
+
+ // form elements
+ 'form',
+ 'button',
+ 'input',
+ 'select',
+ 'datalist',
+ 'option',
+ 'optgroup',
+ 'textarea',
+ ];
+
$config = [
- 'elements' => '* -applet -canvas -embed -form -object -script -link -meta',
- 'deny_attribute' => 'on*, srcdoc',
+ 'elements' => '* ' . implode('', array_map(fn($element) => '-' . $element, $forbidden_elements)),
+ 'deny_attribute' => 'on*, srcdoc, formaction',
'comment' => 1, // 1: remove HTML comments (and do not display their contents)
'cdata' => 1, // 1: remove CDATA sections (and do not display their contents)
'direct_list_nest' => 1, // 1: Allow usage of ul/ol tags nested in other ul/ol tags
diff --git a/tests/units/Glpi/RichText/RichText.php b/tests/units/Glpi/RichText/RichText.php
index f0852079da5..dbcd9536ee6 100644
--- a/tests/units/Glpi/RichText/RichText.php
+++ b/tests/units/Glpi/RichText/RichText.php
@@ -161,7 +161,13 @@ protected function getSafeHtmlProvider(): iterable
+
+
+
@@ -240,9 +246,15 @@ public function () {
Form element should be removed
-
-
-
+
+
+
+ OK
+
+ Opt 1
+ Opt 2
+
+ Some textarea content