Wysiwyg filter guide

Drupal core comes with two input formats: Filtered HTML and Full HTML. Filtered HTML format lets both authenticated and anonymous users enter comments and contents safely by limiting the allowed HTML tags to a very limited set with the HTML Filter. Full HTML is indented for admin use only because it allows any HTML tags and attributes to be used. WYSIWYG editors make use of many more tags and attributes to satisfy the full range of format options. Since the HTML Filter is only capable of allow or dis-allow of HTML tags, it is inadequate for complete safety because Wysiwyg editors make use of a large range of HTML tags and attributes. But for safty from XSS and other attacks, HTML tags and and attributes must be very precisely controlled so the Wysiwyg editor can safely render full range of styling format. The Wysiwyg Filter precisely satisfy this need: it lets you specify exactly what tags and what attributes are allowed in such a way that gives you the full rang of HTML tags and attributes required by the Wysiwyg editors and yet keeping the format completely safe. It's a replacement of the built-in HTML Filter.

With the Wysiwyg filter, you not only specify what tags are allowed, you also control what attributes the tags can have. With class/id/style attributes, you further specify exactly what are allowed to be used with those attributes. When the Wysiwyg filter module is installed, a new "WYSIWYG Filter" is added, use it in place of the HTML filter. For example, you can change the default "Filtered HTML" or create a new input format. I add a new "Rich HTML" format that allows more extensive HTML tags and attributes for use with Wysiwyg editor and leave the "Filtered HTML" input format unchanged.

Once the "WYSIWYG Filter" is enabled and saved, click the "Configure" local tab to setup the filter. Adjust the order of filters, then specify the "HTML elements and attributes":

this specifies what HTML tags and attributes are allowed. The Wysiwyg filter uses the TinyMCE valid_element syntax. If you specify the style and/or class/id attributes are allowed, then it's important to scroll down and expand the "Style properties" and "Advance rules" fieldsets to specify what are allowed in those attributes. If you neglect to specify those, the filter will warn you and tell you those attributes will be filtered out (this warning was added by your's truely). The "Style properties" are all checkboxes to let you specify what style properties are allowed. Install the Checkall module to get a little enhancement to the form to let you check all of checkboxes at once. The "Advance rules" fieldset have text fields to let you specify what string text patterns are allowed in the class, id attributes and the style attribute's url property. These are simple text patterns and the asterisk (*) is a wild card for any number of zero or more characters. A begin string must be specified. So "abc*" is any sting begins with "abc", e.g. "abc-xyz". "format-*-class" is any string begins with "format-" and ends with "-class", e.g. "format-right-align-class".

The Wysiwyg filter also provides link spam deterrence. It adds rel="nofollow" to any URL link that's not on the whitelist. This will zap out anyone trying to fool search engine ranking by pretending to comment on your blog and add link to their site and clevely around it with <span style="display:none;">...<span style="display:none;">. No more spamdexing, Mr.!

Click the link to see a complete module settings screen png file.