logo
Submitted by Mikhail Ismajlov on Fri, 08/09/2019 - 06:52

Drupal sites are usually made in order to put on the Internet. And when you post a site, it becomes available to the whole world, including spammers and crawlers looking for the opportunity to post spam and their code on your site. Drupal has checks and text filters to find and neutralize code from your data entry forms (you can read more about XSS attacks).

Let's go to Configuration - content authoring - Text formats and editors:

/admin/config/content/formats

Drupal 8 Text Formats and Editors

Here we have the default text formats: Full HTML, Basic HTML, Restricted HTML, plain Text. They are executed from top to bottom, if the user has the desired role, then it is applied, if there is no role, then the filter is applied, which is located below. The lower the filter, the less text remains and the more filters are applied. Let's put Full HTML at the very top, this is the most loyal filter, it has the least number of checks, let administrators have it by default:

 

Drupal 8 text formats

Now let's go into the Basic HTML settings and put the filter roles for anonymous users, let them also have the ability to use CKEditor (visual editor).

Drupal 8 Basic HTML

Please note that CKEditor is disabled by default and this is done for a reason. Outdated visual editors are a vulnerability in your site. And since you open the visual editor to anonymous users, you open the vulnerability to everyone. But don’t worry, CKEditor is built into Drupal and it will be updated with Drupal.

Let's move on to the further settings, here we can create groups of icons and drag the icons we need there. I created the Alignment group and inserted icons there to align the text.

Drupal 8 panel CKEditor

After that, we have the opportunity to configure the file upload via CKEditor, but I think everything is in order and by default:

Drupal 8 panel CKEditor

Further we can set filters for the text format. Pay attention to the filter "Skip only allowed HMTL tags", it is basic for Basic HTML, it filters the javascript code from text fields and leaves only the necessary tags. Other filters you can turn on and off as you wish.

drupal 8 filters

We can arrange the included filters in the order below. Here you need the main filter " Limit allowed HTML tags and correct faulty HTML" to be on top, it should filter out all javascript code before the other filters start working.

drupal 8 order filters

And at the very end, we can set which tags to leave after filtering. In principle, there is a fairly wide range of HTML tags, so you can leave it as it is. But rel = "nofollow" I would add so that spam comments on the site do not harm our seo-promotion.

drupal 8 tags