Last updated 14 June 2016. Created on 21 February 2008.
Edited by greggles, hansfn, Pere Orga, dstol. Log in to edit this page.

Drupal's Input Formats provide a variety of benefits. They can be used to enhance the functionality of your site but one of the main purposes is to ensure that data entered on your site is safe for site visitors. For example, if you allow anonymous commenting with "Full HTML" input format, a visitor could add an inappropriate image or malicious JavaScript code capable of changing your password on the site.

  • To create and configure text formats in Drupal 6 navigate to administer -> input formats
  • To create and configure text formats in Drupal 7 navigate to administer -> text formats

The default input format configurations and permissions are safe. There are a couple of things you may change which can make them unsafe:

  1. Adding tags to input filters be especially careful with the roles allowed to use the following tags: APPLET, BODY, BASE, DIV, EMBED, FORM, FRAME, FRAMESET, HTML, IMG, IFRAME, INPUT, LINK, META, OBJECT, SCRIPT, SPAN, STYLE, TABLE, TR, TD.
  2. Re-arranging the order of filters especially for untrusted users (anonymous, or those with low level roles) you will want to have the HTML Filter run at the end of the set of filters.
  3. Changing permissions on filters you should only allow advanced tags (item 1 above) and "Full HTML" for registered users that you trust.

While it is tempting, especially when using WYSIWYG editors, to enable more tags for anonymous users or to allow "Full HTML" this will lead to an unsafe site. Then it is only a matter of time and luck until your site is either compromised or used to attack another site.

This page is based on advice from Feedparser's HTML sanitization and list of XSS vulnerabilities on OWASP.org. If you have ideas about changing tags from one area to another, please read those pages first.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.