Hi,

Thanks for HTML Purifier! I've followed the INSTALL.txt and things seem to be working great. However, I am not so sure what to do after that. I've used the regular (not advanced) one in my "Filtered HTML". Do I have to configure anything in admin/settings/filters/1/configure ? The "Allowed" and "ForbiddenElements" boxes are empty by default, though some elements, e.g., < b >, < table >, seem to be already allowed. I plan to use FCKeditor with HTML Purifier. Do I have to change anything or is the default already safe and functional?

Also, with HTML Purifier enabled, is it ok to disable the other filters, e.g. HTML corrector, HTML filter, Line break converter, URL filter, because they all seem to try to do the same thing as HTML Purifier.

Comments

ezyang’s picture

ezyang commented

The default allowed set allows as many HTML tags and attributes as is possible while still being safe. You can disable the HTML corrector and HTML filter; if you disable Line break converter you should turn on HTML Purifier's autoparagraphing--if you disable URL filter you should turn on HTML Purifier's linkification.

ball.in.th’s picture

ball.in.th commented

Thanks for clearing that up. This is security related so I want to be really really sure. :)

By the way, there're discussions about xss filtering and possibilities of inclusion into Drupal 7 core. Please take a look since HTML Purifier is perfect for the job.

ezyang’s picture

ezyang commented
Status: Active » Closed (fixed)