Last updated November 30, 2015. Created on May 7, 2008.
Edited by alpha2zee. Log in to edit this page.

...from the htmLawed module handbook

The Config. and Spec. form-fields in the htmLawed filter settings form specify the settings the htmLawed filter is to use.


Config., optionally, is specified as a set of comma-separated array elements with keys and values in PHP syntax:

'key-1'=>'value-1', 'key-2'=>'value-2', ...

The value provided is used to generate an array which is passed to the htmLawed filter. It is therefore important to carefully enter values in the Config. form-fields.

The names of keys to use and their possible values and meanings are detailed in the htmLawed documentation. Note that htmLawed uses default values so that in the absence of a specified key, a default value is used for that key during the filtering process. Also, some keys such as safe change such default values of some of the keys.

The default value used by the htmLawed module is:

'safe'=>1, 'elements'=>'a, em, strong, cite, code, ol, ul, li, dl, dt, dd', 'deny_attribute'=>'id, style'

With safe set to 1, htmLawed considers CDATA sections and HTML comments as plain text, and disallows the applet, embed, iframe, object and script elements, and the 'on*' attributes like onclick. Note that because of the value specified for elements, only a, em, strong, cite, code, ol, ul, li, dl, dt and dd are allowed anyway, and that because of the deny_attribute value all id and style attributes are also denied. Note that in Drupal 8, thebr and p tags are also permitted in the default settings.

Here are some more examples of htmLawed settings.

If you want PHP code blocks (flanked by <?php and?>) to escape filtering, then add the key-value 'save_php' => 1 to Config..

To prevent HTML comment code, such as the one used for the Drupal teaser mark (<!--break-->), the key-value 'comment' => 2 should be added to Config..


Spec. is used as the other, optional, parameter for the htmLawed filter. By default, the htmLawed module does not use a Spec. value, but an administrator can provide a value to not allow an otherwise legal attribute for an HTML element, or to restrict the attribute's values.

Spec. can be specified as a string of text. The string should not be quoted. E.g.,

i=-*; td, tr=class, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt

Above means that htmLawed will permit no attribute in i, only class in td or tr, only id and href in a, and all but width and alt in img. Further, for a, the href value should be 34-100 characters long and the id value should start with an alphabet character (a-z) and be followed by at least another alphabet character or digit or hyphen or colon or period.

Please refer to the htmLawed documentation for more about Spec..

Help (or tip fields in Drupal 8)

This field is for instructions/tips that are visible to users submitting input text. Typically, it will indicate the HTML tags that are permitted.

...from the htmLawed module handbook

Looking for support? Visit the forums, or join #drupal-support in IRC.


woeldiche’s picture

Note, that the content of 'Spec' shouldn't be enclosed in quotes.

The documentation above shows the correct format for the Drupal htmLawed module, but htmLawed documentation tells you to enclose the spec in quotes. Had me fooled for a little.

alpha2zee’s picture

Thanks. Corrected the documentation.