ok iionly, thanks...
had read it, the question is, what kind of trouble can have a production site?
You could easily inject script stealing all user sessions. You don't want to disable htmlawed without good replacement.
You might want to adjust htmlawed configuration instead: https://github.com/Elgg/Elgg/blob/master/mod/htmlawed/start.php#L66
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.