Home » Beyond the basics » Contributed modules » Filter modules » htmLawed: purify HTML for security, standards and admin-compliance

Basic installation

·

1. Download the latest version of the module recommended for your Drupal core from the project site for htmLawed module.

2. Uncompress the download and move the htmLawed folder to the right location in your Drupal directory; e.g., sites/all/modules (you may have to create such a sub-folder).

3. Enable the htmLawed (X)HTML filter/purifier module after browsing to the Administer » Site building » Modules section of your Drupal site.

4. Browse to the Administer » Site configuration » Input formats section. There you can configure an input format to make it use htmLawed by selecting it in the list of filters available for the input format. With htmLawed turned on, you may safely disable Drupal's HTML filter and/or HTML corrector filters. Depending on the other filters enabled for the input format, you may need to Rearrange the filters. Usually, htmLawed would be set to run as the last filter (perhaps second-last, if the Line break converter filter is enabled).

5. To configure htmLawed, choose to configure an input format, for which htmLawed has been enabled, and then choose the Configure link on the ensuing page to get to the filter-settings form. The default settings, that can be applied for any content-type, are set using the Default sub-form. Separate sub-forms for each content-type allow you to over-ride the defaults. The content-type-specific sub-forms allow you to choose to use (or disable) htmLawed as well as to configure it by editing the Config. and Spec. form fields -- the former is filled with comma-separated, quoted, key-value pairs like 'safe'=>1, 'elements'=>'a, em, strong' (these are interpreted as PHP array elements), and the latter is a string of text that declares the third argument for the htmLawed function... see htmLawed documentation or this handbook-page for more. The Help form field can be filled with information about the filter (such as what tags are allowed) to be displayed to the users.

  • A screenshot image of the settings form can be seen here.
  • Filtering is further individualized for Body, Comment, Other and Teaser. Body refers to the main content (such as a blog-post). Comment refers to a user comment on the main content. Other refers to special input text such as header which is available when the Views modules is in use. Teaser refers to the teasers including RSS newsfeed items generated from the main content. If htmLawed is enabled for Teaser, effectively, the htmLawed filtering, the last of all filtering, is done after any filtering specified by Body.
  • For Body and Comment, filtering can also be enabled for the save phase, before input is saved in the site database. However, you have to check if this causes conflicts with filters other than the Drupal PHP evaluator filter that rely on the <, > and & characters.
  • The default settings have the filter turned on for Body, Comment and Other (but not Teaser), allow the a, em, strong, cite, code, ol, ul, li, dl, dt and dd HTML tags, and deny the id and style attributes, and any unsafe markup (such as the scriptable HTML attributes). For Teaser, the default settings also permit the br and p tags.
  • The default settings are used to pre-fill the settings form-fields like Config.. Emptying a field does not mean that the default settings will be used. The default settings are certainly used when the module cannot find/interpret the right database-stored Config./Spec. values.
  • Highly customized filtering can be achieved by appropriately setting Config. and Spec..

6. For restricting permissions to administer the htmLawed settings, go to the Administer » User management » Permissions section of your site. Ideally, only the main administrator of the site should have the access.

‹ htmLawed: purify HTML for security, standards and admin-complianceupConfiguration ›
» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.