Advertising sustains the DA. Ads are hidden for members. Join today

On this page

Filter module overview

Last updated on
18 August 2025

The Filter core module allows you to configure text formats for processing text input for your site. These settings are under Configuration > Content authoring > "Text formats and editors" (/admin/config/content/formats).

Despite the name "filter," the module not only lets you prevent the use of formatting you don't want, but also lets you control and enhance the formatting that appears. For example, the Basic HTML text format has the caption filter enabled by default, which means any image, video, quote, code snippet and so on can be captioned, without needing to enter the exact HTML a specific site wants for it: <img src="" data-caption="Hello world!"> is transformed into <figure><img src=""><figcaption>Hello world!</figcaption></figure> automatically (and that HTML is defined in a template that can be customized).

When users create or edit content, they can choose between the text formats administrators make available to their user role. By default, Drupal 8 and later ships with Basic HTML, Restricted HTML, Full HTML, and Plain text.

Administrators can configure which formats are available to which user roles, choose a default text format, and create new text formats. This module also allows you to configure the associated text editor. You can configure each text format to use your choice of filters. When you specify more than one format for a filter, you can specify the order in which they are processed.

Best Practices

Drupal has been powering sites with lots of user-generated content for years, securely and safely. See Text filters and Input Formats for more detailed information on filters, how they work, and how to configure them. Follow these and other best practices to keep your site safe.

  1. The Full HTML text format ("full_html") is intended for trusted users only (administrators), because it does not restrict the allowed HTML tags at all. This can represent a severe security risk. (Hence the name: the full power and potential of HTML is at the user's disposal.)
  2. The Restricted HTML text format ("restricted_html") is intended for anonymous users, and doesn't have CKEditor enabled by default (it's a more restrictive variant of Drupal 6/7's Filtered HTML text format).
  3. The Basic HTML ("basic_html") text format is intended for authenticated users, and does have CKEditor enabled by default (it's a more permissive variant of Drupal 6/7's Filtered HTML text format).
  4. The Plain text, displays any HTML as plain text, but does convert line breaks into HTML and convert URLs into links.
  5. When working with user-generated content, it's always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role; for example, don't allow guests to have access to Full HTML.
  6. Explore contributed modules such as Advanced Text Formatter or Custom filter to install special filters that allow video embeds, references to other content, to change or disable the filter format for a Views or Body field in a content type. See Contributed modules for filtering for more modules that extend and enhance input filters.

Alternative approaches

In some cases advanced developers prefer to start with the minimal profile installed. In this case, there are no predefined Text formats, and the developer creates them from scratch. It is obvious that in this case, there is no need to create the standard profile Text formats with the same machine names. An example of such behaviour can be found on Drupal CMS (which is using content_format only for editing content).

Since security is still an issue, it is up to the developer to create safe-to-use Text formats.

Some developers, for example, prefer to create only a single rich Text format for content editing, allowed for any "trusted" Role (of course, not for Anonymous users). The motto here is: "If an Administrator is able to add XXX on CKEditor, then the Drupal role Editor should also be able to add this on CKEditor."

Using a single rich Text format can reduce maintenance costs, simplify format-related issues and configuration files, and force the developer(s) to use "safe-only" methods when features and options need to be added to CKEditor. It is obvious that in this case the Text format option "Limit allowed HTML tags and correct faulty HTML" should be enabled and modified accordingly. In fact, the more features you add to CKEditor, the more benefit you have when using only one format.

Some problems that may arise from this are that some modules use the standard profile's predefined formats when installed. Although this is an issue with the modules themselves, it can be solved by altering the modules via hooks, by adding more advanced conditions to the module code, or, preferably, using a programmatic way to get the available Text formats without hardcoding them in the code. Since Drupal 8.x, these are entities of type editor (EditorInterface), so someone can get all the Editor entities on a Drupal website like this:

$editors = \Drupal::service('entity_type.manager')->getStorage('editor')->loadMultiple();

Issue queue

http://drupal.org/project/issues/drupal?component=filter.module

See also

Help improve this page

Page status: No known problems

You can: