Search

Training

Our next U.S. stop:

Charlotte, NC - Blue Collar Git
Friday, June 8, 2012

Mike Anello and Andrew Riley from Mediacurrent are teaming up to offer the first Blue Collar Git workshop on Friday, June 8 as part of DrupalCamp Charlotte (also part of the Southeast LinuxFest). The cost is only $149 for the full day if you register during the month of May ($199 otherwise). 

Blue Collar Git
Click for more info and to register!

Check the schedule for additional dates and locations. Contact us to suggest a location or schedule custom training for your organization.

New Podcast

DrupalEasy Podcast 82: Mapping Middle Earth
Posted Wednesday, May 9 at 7:50 am
Brandon Morrison (Brandonian on drupal.org) joins Andrew Riley and Mike Anello on the first post-DrupalCon Denver edition of the podcast to talk about all things Geo in Drupal 7. Brandon is one of the maintainers of the GeoField module and is an active member of the Drupal Geo community.
Download Podcast 82
DrupalEasy_ep82_20120509.mp3
read more
Syndicate content

Newsletter

Stay up-to-date on DrupalEasy workshops and other events. On average, we send about one newsletter per month.

Testimonial

Anonymous
Mike is a great teacher!
read more

Who are we?

DrupalEasy is the collective expertise of Ryan Price and Michael Anello, who joined forces to provide training and consulting services worldwide. Read all about them and what they can do.

What is Drupal?

Drupal is a free, super-powerful content management system for sites that require information posting and collection, including blogs, forums, videos, photos, and databases of information. We think it is the best platform available. Here's why...

Why Drupal?

More and more savvy organizations are going with Drupal for content management, and its no mystery why. It’s free, flexible, and easy to maintain for small or large volume sites. Learn more...

HTML Filter Side Effects

Submitted by ultimike on Thu, 10/22/2009 - 11:03

The HTML Filter that comes with Drupal core is extremely useful - it allows you to restrict the HTML elements that you allow your content creators to use in their posts. If you don't want them including images or JavaScript, no problem. The filter settings allow you to specify exactly what HTML elements they are allowed to use.

One aspect of the HTML Filter that some people don't realize is that even if you allow a tag, HTML Filter will automatically strip out any potentially dangerous attributes, including the "style" tag (Jacob Redding explains it better than I can). For example, let's say you allow your users to include images in-line in their posts. You set the HTML Filter to allow the tag and think you're all set. The next day one of your content creators contacts you to complain that their new inline images are behaving they way they expect them to. Looking at the tag as your content creator entered it, everything seems fine.

<img src="/files/superduperawesomeimage.jpg" style="float:right;" alt="super duper" />

Then you view the rendered page and view the source for the image and you see this:

<img src="/files/superduperawesomeimage.jpg" alt="super duper" />

What happened to the style attribute?!

HTML Filter stripped it out. Turns out the style attribute can be a dangerous thing - some browsers (you know who you are) actually allow JavaScript inside style definitions leading to a whopping security hole. There's no setting to get around this - this is core behavior for the HTML Filter.

So - how do you get around it? Instruct your users that they can't use style attributes. In the example above, they can go all old-school and use "align=right" and it should work fine.

Trackback URL for this post:

http://drupaleasy.com/trackback/341
No votes yet

More Quicktips


1 comment

Guest wrote 2 years 14 weeks ago

HTML Purifier

Another option is to use Full HTML with the HTML Purifier module. MUCH more to setup, but it will allow one to use inline styles in a safer manner.

Syndicate content