Problem: there are two different tasks - to put plain text into a wiki, so that it is displayed unmodified; and to put HTML into a wiki, so that it is displayed unmodified, i.e. rendered by the browser.

Proposed solution:

1. The double quote syntax solves the first problem. On their contents, htmlspecialchars() is executed. Done.
   
2. The second problem is solved by the new syntax. Done.
   1. The <# #> is proposed.
3. In the second task, depending on the option in the configuration file, the dangerous HTML code is removed or not removed. Done.
   1. see SafeHTML - anti-XSS HTML parser

Dangerous code is:

• attributes on*, data*, action="javascript:", href="javacript:", dynsrc.
• tags <object>, <layer>, <ilayer>, <frame>, <iframe>, <script>, <embed>, <applet>, <bgsound>, <style>, <link>, <body>, <meta>, <frameset>.
• strip dangerous CSS.
  • position: (but not backgound-position:)
  • @import
  • @font-face:
  • expression
  • behavior
• For subject, it is suggested to do strip_tags() with some small set of allowed tags, like i, a, b, s, strong, strike, u. The style attribute should also be removed.