Limit available macros in restricted mode and enable restricted mode in HTML converter without edit rights

Yes, that was exactly my proposal. I suggest introducing a property which macros should be allowed in restricted mode. Initially, I wouldn’t include all core macros, just those for which we believe it makes sense to use them in comments (for example, I wouldn’t include the cache, async, include or display macros).

Note that we’re only talking about macros available in restricted mode, i.e., primarily in comments. In all other contexts, still all macros would be available. This proposal is primarily to limit the attack surface that is available for guest users. Further, it improves the usability by limiting the available macros to macros that make sense in comments (we would need a mechanism similar to what has been discussed for macro permissions to also make sure those macros aren’t listed in CKEditor).