Search

New Podcast

DrupalEasy Podcast 73: Lots of Options
Posted Tuesday, January 31 at 3:28 pm
  Thomas Turnbull (tom_o_t on drupal.org) and Alan Palazzolo (zzolo on drupal.org) join Mike Anello to talk about their new book from O’Reilly Media, Mapping with Drupal. Mike’s usual co-hosts, Andrew and Ryan, were both unable to participate in the podcast, leaving Thomas and Alan subject to Mike’s long-winded (but extremely interesting by some accounts) questions.
Download Podcast 73
DrupalEasy_ep73_20120131.mp3
read more
Syndicate content

NEWSLETTER

Stay informed on our latest news!

Previous issues
Syndicate content

Testimonial

Gareth Price
On March 11th I attended the first DrupalEasy Workshop in Orlando, Florida. I'm an experienced web developer who has recently picked up Drupal as a tool for helping to build high quality content-driven websites. Mike and Ryan were excellent teachers - they gave a thorough overview of a complex topic in a short space of time, and provided plenty of resources for us to continue learning. The workshop is essential for anyone who has previously configured a basic Drupal site and wishes to take their skills to an advanced level. I would not hesitate to recommend DrupalEasy.com training and hope to attend more workshops in the future.
read more

Who are we?

DrupalEasy is the collective expertise of Ryan Price and Michael Anello, who joined forces to provide training and consulting services worldwide. Read all about them and what they can do.

What is Drupal?

Drupal is a free, super-powerful content management system for sites that require information posting and collection, including blogs, forums, videos, photos, and databases of information. We think it is the best platform available. Here's why...

Why Drupal?

More and more savvy organizations are going with Drupal for content management, and its no mystery why. It’s free, flexible, and easy to maintain for small or large volume sites. Learn more...

HTML Filter Side Effects

Submitted by ultimike on Thu, 10/22/2009 - 10:03

The HTML Filter that comes with Drupal core is extremely useful - it allows you to restrict the HTML elements that you allow your content creators to use in their posts. If you don't want them including images or JavaScript, no problem. The filter settings allow you to specify exactly what HTML elements they are allowed to use.

One aspect of the HTML Filter that some people don't realize is that even if you allow a tag, HTML Filter will automatically strip out any potentially dangerous attributes, including the "style" tag (Jacob Redding explains it better than I can). For example, let's say you allow your users to include images in-line in their posts. You set the HTML Filter to allow the tag and think you're all set. The next day one of your content creators contacts you to complain that their new inline images are behaving they way they expect them to. Looking at the tag as your content creator entered it, everything seems fine.

<img src="/files/superduperawesomeimage.jpg" style="float:right;" alt="super duper" />

Then you view the rendered page and view the source for the image and you see this:

<img src="/files/superduperawesomeimage.jpg" alt="super duper" />

What happened to the style attribute?!

HTML Filter stripped it out. Turns out the style attribute can be a dangerous thing - some browsers (you know who you are) actually allow JavaScript inside style definitions leading to a whopping security hole. There's no setting to get around this - this is core behavior for the HTML Filter.

So - how do you get around it? Instruct your users that they can't use style attributes. In the example above, they can go all old-school and use "align=right" and it should work fine.

Trackback URL for this post:

http://drupaleasy.com/trackback/341
No votes yet

More Quicktips


1 comment

Guest wrote 1 year 51 weeks ago

HTML Purifier

Another option is to use Full HTML with the HTML Purifier module. MUCH more to setup, but it will allow one to use inline styles in a safer manner.

Syndicate content