Testing this locally on the latest stable version of Moodle, this appears to be stripped from the post when it is submitted.
When I added <base href="https://duckduckgo.com">
to my post and then switched back from HTML editor to WYSIWYG
mode, that base URL would be applied to my current page (as expected), which meant that clicking "Post" would redirect me to https://duckduckgo.com/post.php
, instead of publishing my message.
When I added <base href="https://mymoodlesite/mod/forum">
, so that the URL was effectively unchanged (to allow "Post" to submit my message, including the <base>), the <base> tag and its contents were stripped from the message (not present in the message stored in the database
, and also therefore not reflected to any other users or myself, once submitted). So it appears that you are unable to publish posts containing that tag (and if you could, they still would not be included in the post).
Can you confirm whether you were able to publish a post containing a <base> tag, or were just seeing it when the content was initially pasted into the editor? If it was able to be posted, it would be great if you could confirm which version of Moodle you are using (it may be better to send that information through to email@example.com rather than on the public forum, until we know the security implications of your findings).