Allow more html tags by default.

Which markup elements are available to an input filter is configurable by the Drupal instance administrator or someone with sufficient permissions.

I disagree. The minimal given is perfectly fine. table tags allow unsuspecting & suspecting users to break your layout.
img tags aren't necessary for all sites as some sites don't allow people to add images in this fashion. There is also an issue of users who aren't very good with HTML consistently input incorrect HTML then you are consistently having to fix those posts as an admin. I wouldn't want users typing in h6 for an entire post.

It's a double edged sword, to solve this drupal allows you to add tags to the FILTERED HTML input format. Thus if you want the tags, as admin of your site, you can quickly add them.

Personally, I believe it's better to allow people to add tags, then it is to force people to have to remove tags from the FILTERED Input Format.

posted at same time as user in comment #1 which shifted the dropdowns.

Related issue: #197425: Usability: enable BLOCKQUOTE by default.

While I think the blockquote should be included by default, I'm not sure how I feel about the others. I think Drupal should ship with a minimal set of supported tags and then admins can expand the tags as they see fit. The premise of the filter, as I understand it, is for posting content, so markup such as table, divs, and font tags haven't been included by default, which I agree with. I don't really think most people want to give their users that much control over their content, but it depends who this filter is designed for. I think designing it for general user input and therefore supporting a restricted set of tags makes sense.

font elements? Marking text up with font elements is somewhat 1997, don't you think? Even GUI systems like TinyMCE and FCKEditor do better than using font elements.

<b>, <i>, and <font> are all deprecated, and should not be added for that reason. <strong> has replaced <b>, <em> has replaced <i>, and css styling has replaced <font>.

However, i've always been confused as to why <p> and <h2> - <h6> aren't included. I can't imagine them breaking the site, i can't imagine any attack being able to use them as a vector, and they are really important to semantic structure.

I think that the default list of HTML tags was already tweaked for Drupal 7.

The allowed HTML tags in the Filtered HTML text format are not only used for nodes, but also comments, and user signatures by default. Therefore, this text format is limited, by design.

We are talking about defaults, so we need to take all defaults of the text format into account - including other enabled filters and the default processing order of filters.

• <p> and <br> are needless, the auto-paragraph filter is enabled by default.
• <b> and <i> are not accessible and already represented by <strong> and <em>.
• <div> is a good recipe to allow your users and site visitors to entirely break your site's layout and has no meaning.
• <h1> usually defines the page title, normally never allowed to be used within content.
• <h2> to <h6> may be suitable for nodes, but not for comments or user signatures. And even for nodes, it highly depends on your custom use-case.
• <blockquote> is already present.
• <hr> is an advanced formatting element, usually not suitable for comments or user signatures, as those use other means to separate things visually (theme CSS).
• <span> is useless cruft, in terms of this text format's purpose.
• <strike> or <del> are only useful, if users are allowed to edit their content after creation. Depends on your custom use-case.
• <sup> and <sub> are rarely used and I'd add that they are only commonly known and used if there is a client-side editor button that exposes the markup feature. These are the only that I would accept as being debatable, so please create a new issue to discuss them.

<p> and <br> are needless, the auto-paragraph filter is enabled by default.

True, but they should be allowed since people expect them to work and may not use the auto-paragraph filter... also it depends on the order you apply filters. It can't hurt to allow these.

<div> is a good recipe to allow your users and site visitors to entirely break your site's layout and has no meaning.

Totally agreed.

<span> is useless cruft, in terms of this text format's purpose.

It would be nice to have some like that one, del, sub, sup, and possibly others. What we allow users to edit and different levels trust may mean we want to open up further tags. It would be nice to have some pre-selected "safe, but less needed" tags available to allow as a group or in part, somehow). The WYSIWYG text editors use a lot of these tags, even BBCode applies span tags if you allow a user to bump up the size of some text or add color. I'm leery about allowing many of these, but I'd also like to treat my members as adults and edit ugly posts if necessary -- and there could be other reasons to use the <del> tag than to mark text that has been edited on-site... for irony, or to correct something quoted from elsewhere, etc.

I actually came to this thread since I was wondering if there would be any discussion of reasons we REALLY wouldn't want to allow the <span> tag, since the BBCode module seems to convert some BBCode tags to spans. Annoyingly, it also converts [s] to <s> tags instead of <del>; but the former is deprecated, isn't it? I guess it also puts <span> tags and adds odd font attributes to apply italic and bold instead of sticking to em and strong tags, etc. I actually just changed that behavior in the BBCode module, so hopefully that will work now. I'm trying to allow my users reasonably broad use of BBCode, Markdown, and a subset of HTML and give them an editor (Markitup instead of the bloated WYSIWYG ones that are hard to adjust) that isn't too complex. I like CKEditor and WYSIWYG (project), too... but moving between WYSIWYG and "plain" view to add/fix things the editor couldn't do is a bit tedious. So I'm going with Markitup and BBCode by default, though I may allow switching to a WYSIWYG editor for people who'd really prefer that.

These are all good points but I would think more about what a new Drupal user will expect to be able to do. If a majority of installs are making changes to add some of these tags then I would consider that a good reason to change the defaults. The defaults should be the most commonly used not just what works best for comments and signatures. I can't help but look at the Allowed HTML tags here on d.o and assume that would make a better default. Almost all the tags you listed as unnecessary are allowed here and in the forums.

note that those tags just recently became available here and in the forums with the addition of the editor. If you want this revisited, you should reactivate this thread.

These tags should be added because they are safe, useful, and don't have any drawbacks (won't break your layout): ...<sub> <sup>

I'm pretty sure <sub> and <sup> tags can be nested and break your layout.