Last updated July 14, 2010. Created by aj045 on May 9, 2005.
Edited by laura s, LeeHunter, AjK, ghankstef. Log in to edit this page.
The Filter core module allows you to configure formats for text input for your site.
- In Drupal 7, these settings are under "Text formats" on the "Configuration" screen.
- In Drupal 6 and earlier, these settings are under "Input formats" in the "Site Configuration" area.
Despite the name "filter," the module not only lets you keep out text you don't want but also lets you enhance the text you let in. So, for example, you can use a filter to turn ordinary line breaks into HTML paragraph tags.
When users create or edit content, they can choose between the input formats you make available to their user role. You can configure which formats are available to which user roles, as well as choose a default input format. You can also create new input formats. And you can configure each input format to use your choice of filters.
In Drupal 7 and later, when you specify more than one format for a filter you can specify the order in which they are processed.
If the "PHP Filter" is enabled (in the "Core Optional" modules), you can allow users to input PHP code. However this option represents a serious security risk and should be used with care.
Best Practices
Whenever working with user-generated content, it's always best to keep input format settings as secure as possible. Here are some things to consider:
- Using the "Full HTML" filter allows HTML to be posted unfiltered. This could represent a severe security risk.
- The PHP Filter is especially dangerous, because it allows, among other things, code-driven queries to be run on your site's database. Grant this input format to users who are not only trusted but really know what they are doing with PHP and Drupal. A one-character typo could end up with horrifying consequences.
- Note that blanket inclusion of something like an
<img>could result in someone posting an image that is just too big for your page layout, breaking the site. Explore contributed modules to upload and resize images so they fit nicely on your site. - Explore contributed modules to install special filters that allow video embeds, references to other posts, and so on. See http://drupal.org/node/779080 for documentation on many modules to extend and enhance input filters.
Drupal has been powering community sites with lots of user-generated content for years, and doing it security and safely. Follow best practices and keep your site safe. See http://drupal.org/node/213156 for more detailed information on filters, how they work, and how to configure them.