Safe HTML

The 6.x version is out as development snapshot. Please test it and report bugs.

Safe HTML is a module that filter the input before the content is stored in the database. Unlike Drupal basic filtering system, Safe HTML filter the form post and perform code cleaning before the content is stored on the site backend.

Safe HTML must be enabled on the Input formats section as a filter for the desired input format. Safe HTML cannot be used in conjunction with PHP Parser Filter because Safe HTML will strip any PHP code. Safe HTML can be used together with HTML Filter in order to limit HTML tags to an allowed array.

Administrators and allowed users can define custom PHP code to perform additional tasks on the form input. The site administrator can define what kind of custom transformation may occur on the form content. He must appy these transformations to a variable named $html. Example:

// strip consecutive spaces
$html = preg_replace("/[ ]{2,}/i", " ", $html);

The module is based on SafeHTML a project leaded by Roman Ivanov. This module strips down all potentially dangerous content within HTML:

• opening tag without its closing tag
• closing tag without its opening tag;
• resolving cases like <p><em>abc</p></em>;
• strip any of these tags: "base", "basefont", "head", "html", "body", "applet", "object", "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound", "link", "meta", "style", "title", "blink", "xml" etc.
• any of these attributes: on*, data*, dynsrc
• javascript:/vbscript:/about: etc. protocols
• expression/behavior etc. in styles
• any other active content

It also tries to convert code to XHTML valid, but htmltidy is far better solution for this task.