Last updated November 17, 2015. Created on May 9, 2005.
Edited by Wim Leers, ashish_nirmohi, margyly, hamonwry. Log in to edit this page.

The Filter core module allows you to configure text formats for processing text input for your site.

  • In Drupal 8, these settings are under Configuration > Content Formatting > "Text formats and editors" (/admin/config/content/formats).
  • In Drupal 7, these settings are under Configuration > "Text formats" (/admin/config/content/formats).
  • In Drupal 6 and earlier, these settings are under "Site Configuration" > "Input formats".

Despite the name "filter," the module not only lets you prevent the use of formatting you don't want, but also lets you control and enhance the formatting that appears. For example, the Basic HTML text format has the caption filter enabled by default, which means any image, video, quote, code snippet and so on can be captioned, without needing to enter the exact HTML a specific site wants for it: <img src="" data-caption="Hello world!"> is transformed into <figure><img src=""><figcaption>Hello world!</figcaption></figure> automatically (and that HTML is defined in a template that can be customized).

When users create or edit content, they can choose between the text formats administrators make available to their user role. By default, Drupal 6 and 7 ship with two options: Filtered HTML and Full HTML; Drupal 8 ships with Basic HTML, Restricted HTML, and Full HTML.

Administrators can configure which formats are available to which user roles, choose a default text format, and create new text formats. In Drupal 8, this module also allows you to configure the associated text editor. You can configure each text format to use your choice of filters.

In Drupal 7 and later, when you specify more than one format for a filter, you can specify the order in which they are processed.

Best Practices

Drupal has been powering sites with lots of user-generated content for years, securely and safely. See for more detailed information on filters, how they work, and how to configure them. Follow these and other best practices to keep your site safe.

  1. The Full HTML text format is intended for trusted users only (administrators), because it does not restrict the allowed HTML tags at all. This can represent a severe security risk. (Hence the name: the full power and potential of HTML is at the user's disposal.)
  2. The Restricted HTML text format is intended for anonymous users, and doesn't have CKEditor enabled by default (it's a more restrictive variant of Drupal 6/7's Filtered HTML text format).
  3. The Basic HTML text format is intended for authenticated users, and does have CKEditor enabled by default (it's a more permissive variant of Drupal 6/7's Filtered HTML text format).
  4. When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow guests to have access to Full HTML.
  5. Explore contributed modules to install special filters that allow video embeds, references to other content, and so on. See for documentation on the many modules that extend and enhance input filters.

Drupal 6 and 7-specific considerations

In Drupal 6 and 7, if the "PHP Filter" is enabled (in the "Core Optional" modules), you can allow users to input PHP code. However, this option represents a serious security risk, so use it with care.

This filter is especially dangerous, as it allows code-driven queries to be run on your site's database, among other things. Grant this input format only to users who are not only trusted, but really know what they are doing with PHP and Drupal. A one-character typo could end up with dire consequences for your site.

Issue queue

Looking for support? Visit the forums, or join #drupal-support in IRC.