There are different methods to ensure that posted data cannot be used to exploit sites. WordPress achieves this by limiting the types of content that you can save.
It prevents potentially harmful content from entering the database and from being displayed on the site when it is already in the database. WordPress employs different methods to achieve this depending on the type of content that is being saved. Thus, content posted by a trusted user and a comment from an unknown user are not treated in the same way.
This filtering process allows administrators and editors to do “almost anything” that makes sense because administrators and editors can break their own sites in much simpler ways than preparing malicious contents. For HTML content, this means that administrators and editors can use a large set of HTML tags in their posts, pages, and comments.
All other users can employ the same set of tags in their post contents, but a smaller set of HTML tags in their comments. Any HTML that is not allowed is stripped out, and HTML that is not well formatted is encoded, so that it displays as the HTML source and it is not actually parsed as HTML.
Toolset features a similar filtering mechanism to Post and User fields.
User roles allowed to save unfiltered HTML in post fields
In Toolset, only users with administrator and editor roles can save unfiltered HTML content in the Post and User Fields. For any other user, the field values will be filtered and only allowed HTML tags will be saved. HTML tags that are not allowed will be stripped and invalid HTML will be encoded.
The only way to allow users with a role lesser than Editor to add unfiltered HTML content to post fields is to elevate them to the roles of Editor or Administrator.
For administrators and editors, please note that the unfiltered HTML contents are enabled by default in Post and User Fields. However, this option can be disabled on the Toolset Settings page under the Custom Content tab, as shown in the next image.