diff --git a/frappe/core/doctype/comment/comment.py b/frappe/core/doctype/comment/comment.py
index 5398449b1b..7cefa3b56e 100644
--- a/frappe/core/doctype/comment/comment.py
+++ b/frappe/core/doctype/comment/comment.py
@@ -62,7 +62,9 @@ class Comment(Document):
 	def validate(self):
 		if not self.comment_email:
 			self.comment_email = frappe.session.user
-		self.content = frappe.utils.sanitize_html(self.content, always_sanitize=True)
+		self.content = frappe.utils.sanitize_html(
+			self.content, always_sanitize=True, disallowed_tags=["form", "input", "button"]
+		)
 
 	def on_update(self):
 		update_comment_in_doc(self)
diff --git a/frappe/utils/html_utils.py b/frappe/utils/html_utils.py
index 091c6047db..7af5ab9907 100644
--- a/frappe/utils/html_utils.py
+++ b/frappe/utils/html_utils.py
@@ -142,7 +142,7 @@ def clean_script_and_style(html):
 	return frappe.as_unicode(soup)
 
 
-def sanitize_html(html, linkify=False, always_sanitize=False):
+def sanitize_html(html, linkify=False, always_sanitize=False, disallowed_tags=None):
 	"""
 	Sanitize HTML tags, attributes and style to prevent XSS attacks
 	Based on nh3 clean, bleach whitelist and html5lib's Sanitizer defaults
@@ -167,6 +167,10 @@ def sanitize_html(html, linkify=False, always_sanitize=False):
 		.union(["html", "head", "meta", "link", "body", "o:p"])
 	)
 
+	# Allow caller to explicitly disallow some tags
+	if disallowed_tags:
+		tags.difference_update(disallowed_tags)
+
 	attributes = {"*": acceptable_attributes, "svg": svg_attributes}
 
 	# returns html with escaped tags, escaped orphan >, <, etc.