Drupal sites are usually made in order to put on the Internet. And when you post a site, it becomes available to the whole world, including spammers and crawlers looking for the opportunity to post spam and their code on your site. Drupal has checks and text filters to find and neutralize code from your data entry forms (you can read more about XSS attacks).
Let's go to Configuration - content authoring - Text formats and editors:
Here we have the default text formats: Full HTML, Basic HTML, Restricted HTML, plain Text. They are executed from top to bottom, if the user has the desired role, then it is applied, if there is no role, then the filter is applied, which is located below. The lower the filter, the less text remains and the more filters are applied. Let's put Full HTML at the very top, this is the most loyal filter, it has the least number of checks, let administrators have it by default:
Now let's go into the Basic HTML settings and put the filter roles for anonymous users, let them also have the ability to use CKEditor (visual editor).
Please note that CKEditor is disabled by default and this is done for a reason. Outdated visual editors are a vulnerability in your site. And since you open the visual editor to anonymous users, you open the vulnerability to everyone. But don’t worry, CKEditor is built into Drupal and it will be updated with Drupal.
Let's move on to the further settings, here we can create groups of icons and drag the icons we need there. I created the Alignment group and inserted icons there to align the text.
After that, we have the opportunity to configure the file upload via CKEditor, but I think everything is in order and by default:
And at the very end, we can set which tags to leave after filtering. In principle, there is a fairly wide range of HTML tags, so you can leave it as it is. But rel = "nofollow" I would add so that spam comments on the site do not harm our seo-promotion.