This bug us also a feature. Perhaps we should have three options.

1. No tags allowed.
2. Tags allowed with filtering.
3. All tags allowed.

Of course, as you mention above, at the moment "disable HTML" is actually "Allow All HTML".

Comments

ax’s picture

ax commented

[adding original bug report that somehow got discarded]

if "Enable HTML tags" is "Disabled" (so you think there is no HTML allowed in user-contributed content at all), no filtering is done. the relevant code snip:

function node_filter($text) {
  if (variable_get("filter_html", 0)) $text = node_filter_html($text);
  // "Disabled" == 0 == FALSE, so node_filter_html is NOT called
  [...]
}

i think it should be

function node_filter($text) {
  if (variable_get("filter_html", 0)) {
    // html ENABLED
    $text = node_filter_html($text);
  }
  else {
    // html DISABLED
    $text = node_filter_html($text, "");
  }
  [...]
}

function node_filter_html($text,
$allowed_html=variable_get("allowed_html", "")) {
  $text = eregi_replace("([ frtn'"]>]+>", "1", $text);
  $text = eregi_replace("([ frtn'"])on[a-z]+=[^>]+>", "1", $text);
  $text = strip_tags($text, $allowed_html);
  return $text;
}

and i would suggest to rename either "Enable HTML tags" to "Filter HTML" or, better, the variable "filter_html" to "enable_html_tags". cause thats what i guess caused that problem ("Enable HTML tags" is the opposite of "filter_html").

another thing: if html is disabled, there shouldnt be "Allowed HTML tags:" below submit forms (as it is currently), but something like "HTML not allowed". Guess a new wrapper function ("form_hint"? what would be an appropriate name?) would help. This function should check "filter_html" and "allowed_html" and output the appropriate. Besides,
it should give a hint (with examples) to properly quote entities etc. if html is enabled (not doing so is reason of many complaints).

ax’s picture

ax commented
Priority: Normal » Critical

fixed in both cvs and 4.1 (by renaming "Enable HTML tags" to "Filter HTML tags").