HTML Filter Side Effects

The HTML Filter that comes with Drupal core is extremely useful - it allows you to restrict the HTML elements that you allow your content creators to use in their posts. If you don't want them including images or JavaScript, no problem. The filter settings allow you to specify exactly what HTML elements they are allowed to use.

One aspect of the HTML Filter that some people don't realize is that even if you allow a tag, HTML Filter will automatically strip out any potentially dangerous attributes, including the "style" tag (Jacob Redding explains it better than I can). For example, let's say you allow your users to include images in-line in their posts. You set the HTML Filter to allow the tag and think you're all set. The next day one of your content creators contacts you to complain that their new inline images are behaving they way they expect them to. Looking at the tag as your content creator entered it, everything seems fine.

<img src="/files/superduperawesomeimage.jpg" style="float:right;" alt="super duper" />

Then you view the rendered page and view the source for the image and you see this:

<img src="/files/superduperawesomeimage.jpg" alt="super duper" />

What happened to the style attribute?!

HTML Filter stripped it out. Turns out the style attribute can be a dangerous thing - some browsers (you know who you are) actually allow JavaScript inside style definitions leading to a whopping security hole. There's no setting to get around this - this is core behavior for the HTML Filter.

So - how do you get around it? Instruct your users that they can't use style attributes. In the example above, they can go all old-school and use "align=right" and it should work fine.


Another option is to use Full HTML with the HTML Purifier module. MUCH more to setup, but it will allow one to use inline styles in a safer manner.

Submitted by Guest (not verified) on Wed, 02/10/2010 - 09:27

Sign up to receive email notifications of whenever we publish a new blog post or quicktip!