The Filter core module allows you to configure
text formats for processing text input for your site.
- In Drupal 8, these settings are under Configuration > Content Formatting > "Text formats and editors" (
- In Drupal 7, these settings are under Configuration > "Text formats" (
- In Drupal 6 and earlier, these settings are under "Site Configuration" > "Input formats".
Despite the name "filter," the module not only lets you prevent the use of formatting you don't want, but also lets you control and enhance the formatting that appears. For example, the
Basic HTML text format has the caption filter enabled by default, which means any image, video, quote, code snippet and so on can be captioned, without needing to enter the exact HTML a specific site wants for it:
<img src="" data-caption="Hello world!"> is transformed into
<figure><img src=""><figcaption>Hello world!</figcaption></figure> automatically (and that HTML is defined in a template that can be customized).
When users create or edit content, they can choose between the text formats administrators make available to their user role. By default, Drupal 6 and 7 ship with two options: Filtered HTML and Full HTML; Drupal 8 ships with Basic HTML, Restricted HTML, and Full HTML.
Administrators can configure which formats are available to which user roles, choose a default text format, and create new text formats. In Drupal 8, this module also allows you to configure the associated text editor. You can configure each text format to use your choice of filters.
In Drupal 7 and later, when you specify more than one format for a filter, you can specify the order in which they are processed.
Drupal has been powering sites with lots of user-generated content for years, securely and safely. See http://drupal.org/node/213156 for more detailed information on filters, how they work, and how to configure them. Follow these and other best practices to keep your site safe.
Full HTMLtext format is intended for trusted users only (administrators), because it does not restrict the allowed HTML tags at all. This can represent a severe security risk. (Hence the name: the full power and potential of HTML is at the user's disposal.)
Restricted HTMLtext format is intended for anonymous users, and doesn't have CKEditor enabled by default (it's a more restrictive variant of Drupal 6/7's
Filtered HTMLtext format).
Basic HTMLtext format is intended for authenticated users, and does have CKEditor enabled by default (it's a more permissive variant of Drupal 6/7's
Filtered HTMLtext format).
- When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow guests to have access to Full HTML.
- Explore contributed modules to install special filters that allow video embeds, references to other content, and so on. See http://drupal.org/node/779080 for documentation on the many modules that extend and enhance input filters.
Drupal 6 and 7-specific considerations
In Drupal 6 and 7, if the "PHP Filter" is enabled (in the "Core Optional" modules), you can allow users to input PHP code. However, this option represents a serious security risk, so use it with care.
This filter is especially dangerous, as it allows code-driven queries to be run on your site's database, among other things. Grant this input format only to users who are not only trusted, but really know what they are doing with PHP and Drupal. A one-character typo could end up with dire consequences for your site.