Last updated May 11, 2012. Created on May 7, 2008.
Edited by alpha2zee. Log in to edit this page.

...from the htmLawed module handbook

The Config. and Spec. form-fields in the htmLawed module configuration form specify the settings the htmLawed filter is to use.


Config., optionally, is specified as a set of comma-separated array elements with keys and values in PHP syntax:

'key-1'=>'value-1', 'key-2'=>'value-2', ...

The value provided is used to generate an array which is passed to the htmLawed filter. It is therefore important to carefully enter values in the Config. form-fields.

The names of keys to use and their possible values and meanings are detailed in the htmLawed documentation. Note that htmLawed uses default values so that in the absence of a specified key, a default value is used for that key during the filtering process. Also, some keys such as safe change such default values of some of the keys.

The default value used by the htmLawed module is:

'safe'=>1, 'elements'=>'a, em, strong, cite, code, ol, ul, li, dl, dt, dd', 'deny_attribute'=>'id, style'

With safe set to 1, htmLawed considers CDATA sections and HTML comments as plain text, and disallows the applet, embed, iframe, object and script elements, and the 'on*' attributes like onclick. Note that because of the value specified for elements, only a, em, strong, cite, code, ol, ul, li, dl, dt and dd are allowed anyway, and that because of the deny_attribute value all id and style attributes are also denied.

Here are some more examples of htmLawed settings.

In version 3 of the module, if Drupal's PHP code evaluator is in use as a filter, and it is to be executed after htmLawed, then the key-value 'save_php' => 1 should be added to Config..

To allow for use of the Drupal teaser mark <!--break-->, the key-value 'comment' => 2 should be added to Config.. Note that this will permit all HTML comments to get through the htmLawed filter, but no security or presentation issues are anticipated because of this as '<' and '>' characters within the comments will be converted to HTML entities.


Spec. is used as the other, optional, parameter for the htmLawed filter. By default, the htmLawed module does not use a Spec. value, but an administrator can provide a value to not allow an otherwise legal attribute for an HTML element, or to restrict the attribute's values.

Spec. can be specified as a string of text. The string should not be quoted. E.g.,

i=-*; td, tr=class, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt

Above means that htmLawed will permit no attribute in i, only class in td or tr, only id and href in a, and all but width and alt in img. Further, for a, the href value should be 34-100 characters long and the id value should start with an alphabet character (a-z) and be followed by at least another alphabet character or digit or hyphen or colon or period.

Please refer to the htmLawed documentation for more about Spec..


This field is for instructions/tips that are visible to users submitting input text. Typically, it will indicate the HTML tags that are permitted.

Caching (only for version 2 of the module)

Check the Do not cache item to disable the use of cached filtered content, for content filtered using an input text format, which may have other filters besides htmLawed, will not be cached after filtering. Filtering will thus occur every time the content is displayed. Note that besides the Drupal core, other modules may have their own caching logic.

...from the htmLawed module handbook

Looking for support? Visit the forums, or join #drupal-support in IRC.


woeldiche’s picture

Note, that the content of 'Spec' shouldn't be enclosed in quotes.

The documentation above shows the correct format for the Drupal htmLawed module, but htmLawed documentation tells you to enclose the spec in quotes. Had me fooled for a little.

alpha2zee’s picture

Thanks. Corrected the documentation.