Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.This project is not covered by Drupal’s security advisory policy.
Though allowing editors to embed arbitrary content on the website is generally a bad idea, sometimes it is a clear business requirement.
This module allows you to limit potential damage from embedded html content and lower down security risks.
It adds "secure html" filter that wraps everything in an iframe, which can be configured as a "sandbox" to prevent executing scripts or accessing parent window (see https://www.w3schools.com/tags/att_iframe_sandbox.asp).
There are 2 ways of using this module
- Use it as a text format filter (but keep in mind that this filter is irreversible and must be the last in the sequence)
- Use it from your module via theme callback
$dangerous_html = [ '#theme' => 'secure_html', '#content' => '<html...', '#attributes' => [ 'sandbox' => 'allow-forms allow-scripts', ], ];
Project information
Maintenance fixes only
Considered feature-complete by its maintainers.- Project categories: Content editing experience
- Created by anrkaid on , updated
This project is not covered by the security advisory policy.
Use at your own risk! It may have publicly disclosed vulnerabilities.
