Guidelines for Secure Input Filters
As stated in the Drupal configuration pages, "Improper text format configuration is a security risk."
Therefore, on websites hosted by SAS we require that input filters used by content editors meet strict security standards. We do not allow content editors to use full HTML to edit content. We ask our web developers to create an input filter for content editors that allows many commonly used tags without allowing full HTML. We typically call this input filter “Advanced Filtered HTML” or something similar (we find that the “Filtered HTML” filter that is there by default usually does not quite meet the needs of the content editors). This input filter should meet the following criteria:
- The role should be usable only by administrators and content editors, not authenticated or anonymous users
- The following filters should be enabled, in the following order: Limit allowed HTML tags; Convert line breaks into HTML; Convert URLs into links; Correct faulty and chopped off HTML
- Allowed HTML tags: <span> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><img><p><blockquote><br/><br><table><thead><th><tbody><tr><td><h2><h3><h4><h5><div>
- The Advanced Filtered HTML text format should be ranked 1st so that it is selected by default.
We prefer that the WYSIWYG editor should be TinyMCE, configured as follows:
- Enabled by default should be checked
- Do not check Allow users to choose default
- Enable/disable rich text toggle link
Buttons and Plugins:
- We prefer a minimalist approach – within a properly set up Drupal environment, the editors should not need to change the basic layout of the page very much. The following should be checked: Bold, numbered list, unlink, italic, block format, bullet list, styles (if supported in the CSS). Expand this list only with discretion. In some cases, paste from Word or clean-up is advisable. If you think your client needs other buttons for special need (for example, superscripts for academic citations) please consult with us.
- Typically toolbars are aligned to the top left, and the path location is at the bottom. The resizing button may be enabled.
Cleanup and output:
- Only Verify HTML and Remove line breaks should be checked. All others should remain unchecked.
- This is at the discretion of the developer and the specific site needs, but again, we recommend a minimalist approach. Typically we find it useful to give users the block formats p, h2, h3, h4, h5, h6, blockquote, div.