...from the htmLawed module handbook
- Download the latest version of the module recommended for your Drupal core from the project site for htmLawed module. Uncompress the download and move the htmLawed folder to the right location in your Drupal directory; e.g., sites/all/modules (you may have to create such a sub-folder). In Drupal 7, one can simply use the Install new module link in the Administration » Modules section of the Drupal site.
- Note that for Drupal 6, version 2 of the module is not compatible with version 3. That is, the latter cannot use the settings from the former. If you use version 2, and wish to update to version 3, note the htmLawed settings you want to use with the formats that use htmLawed, and uninstall the old, version 2 of the module before installing version 3
- Enable the htmLawed (X)HTML filter/purifier module after browsing to the Administration » Modules section (in Drupal 6 or lower, Administer » Site building » Modules).
- Browse to the Administer » Configuration » Content authoring » Text formats section (in Drupal 6 or lower, Administer » Site configuration » Input formats). There you can configure an input text format to make it use htmLawed by selecting it in the list of filters available for the format. With htmLawed turned on, you may safely disable Drupal's core filters to limit allowed HTML or correct faulty HTML (in Drupal 6 or lower, the HTML filter and/or HTML corrector filters). Depending on the other filters enabled for the format, you may need to rearrange the processing order of the filters for the htmLawed filtering to work properly. Usually, htmLawed would be set to run as the last filter. Regardless, htmLawed has to be configured such as to allow any HTML markup generated by filters that are executed before it.
- For simple configuration of the htmLawed module, choose to configure an input text format, for which htmLawed has been enabled, and then choose the Configure link on the ensuing page to get to the htmLawed filter-settings form, and click the Save button to accept the pre-filled, simple configuration settings. By default, htmLawed runs with the safe option enabled, and permits the use of the tags a, em, strong, cite, code, ol, ul, li, dl, dt and dd but denies the id and style tag (HTML element) attributes as well as the unsafe and scriptable attributes like onclick. For more on the form-fields like Config. that are used for setting htmLawed's filtering rules, see this page of the handbook.
- In version 2 of the module, for more advanced configuration, choose to configure a format, for which htmLawed has been enabled, and then choose the Configure link on the ensuing page to get to the filter-settings form. The default settings, that can be applied for any content-type, are set using the Default sub-form. Separate sub-forms for each content-type allow you to over-ride the defaults. The content-type-specific sub-forms allow you to choose to use (or disable) htmLawed as well as to configure it by editing the Config. and Spec. form fields -- the former is filled with comma-separated, quoted, key-value pairs like 'safe'=>1, 'elements'=>'a, em, strong' (these are interpreted as PHP array elements), and the latter is a string of text that declares the third argument for the htmLawed function... see htmLawed documentation or this handbook-page for more. The Help form field can be filled with information about the filter (such as what tags are allowed) to be displayed to the users.
- A screenshot image of the settings form can be seen here.
- Filtering is further individualized for Body, Comment, Other and Teaser. Body refers to the main content (such as a blog-post). Comment refers to a user comment on the main content. Other refers to special input text such as header which is available when the Views modules is in use. Teaser refers to the teasers including RSS newsfeed items generated from the main content. If htmLawed is enabled for Teaser, effectively, the htmLawed filtering, the last of all filtering, is done after any filtering specified by Body.
- For Body and Comment, filtering can also be enabled for the save phase, before input text is saved in the site database. However, you have to check if this causes conflicts with filters other than the Drupal PHP evaluator filter that rely on the <, > and & characters.
- The default settings have the filter turned on for Body, Comment and Other (but not Teaser), allow the a, em, strong, cite, code, ol, ul, li, dl, dt and dd HTML tags, and deny the id and style attributes, and any unsafe markup (such as the scriptable HTML attributes). For Teaser, the default settings also permit the br and p tags.
- The default settings are used to pre-fill the settings form-fields like Config.. Emptying a field does not mean that the default settings will be used. The default settings are certainly used when the module cannot find/interpret the right database-stored Config./Spec. values.
- Highly customized filtering can be achieved by appropriately setting Config. and Spec..
- In version 2 of the module, for restricting permissions to administer the htmLawed settings, use the link for htmLawed permissions on the Administration » Modules section of your site (in Drupal 6 or lower, Administer » User management » Permissions) . Ideally, only the main administrator of the site should have the access.
...from the htmLawed module handbook