The Filter core module allows you to configure formats for text input for your site.
- In Drupal 8, these settings are under Configuration > Content Formatting > "Text formats and editors" (/admin/config/content/formats).
- In Drupal 7, these settings are under Configuration > "Text formats" (/admin/config/content/formats).
- In Drupal 6 and earlier, these settings are under "Site Configuration" > "Input formats".
Despite the name "filter," the module not only lets you prevent the use of formatting you don't want, but also lets you control and enhance the formatting that appears. For example, you can use a filter to turn ordinary line breaks into HTML paragraph tags.
When users create or edit content, they can choose between the input formats administrators make available to their user role. By default, Drupal 6 and 7 ship with two options: Filtered HTML and Full HTML; Drupal 8 ships with Basic HTML, Restricted HTML, and Full HTML.
Administrators can configure which formats are available to which user roles, choose a default input format, and create new input formats. In Drupal 8, this module also allows you to configure the WYSIWYG (what you see is what you get) toolbars and the items that appear on those toolbars. You can configure each input format to use your choice of filters.
In Drupal 7 and later, when you specify more than one format for a filter, you can specify the order in which they are processed.
If the "PHP Filter" is enabled (in the "Core Optional" modules), you can allow users to input PHP code. However, this option represents a serious security risk, so use it with care.
Drupal has been powering sites with lots of user-generated content for years, securely and safely. See http://drupal.org/node/213156 for more detailed information on filters, how they work, and how to configure them. Follow these and other best practices to keep your site safe.
- The "Full HTML" filter allows HTML to be posted unfiltered. This can represent a severe security risk.
- When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow guests to have access to Full HTML.
- The PHP Filter is especially dangerous, as it allows code-driven queries to be run on your site's database, among other things. Grant this input format only to users who are not only trusted, but really know what they are doing with PHP and Drupal. A one-character typo could end up with dire consequences for your site.
- Allowing unrestricted items like an
<img />could result in someone posting an image that is too big for your page layout, breaking the site. Use contributed modules to upload and resize images so they fit nicely on your pages.
- Explore contributed modules to install special filters that allow video embeds, references to other posts, and so on. See http://drupal.org/node/779080 for documentation on the many modules that extend and enhance input filters.