Compassdesigns.net

Teaching - Web - Sailing

  • Home
  • Services

HTML Filtering Options in Global Article Parameters

January 27, 2009 By barrie@compassdesigns.net Leave a Comment

 

Filtering Options (HTML)

Web sites can be attacked by users entering in special HTML code.
Filtering is a way to protect your Joomla! web site. Joomla! 1.5 brings
new filtering options to give you more control over the HTML that your
content providers are allowed to submit. You can be as strict or as
liberal as you desire, depending on your site’s needs.

It is important to understand that filtering occurs at the time an article is saved, after
it has been written or edited. Depending on your editor and filter
settings, it is possible for a user to add HTML to an article during
the edit session only to have that HTML removed from the article when
it is saved. This can sometimes cause confusion or frustration. If you
have filtering set up on your site, make sure your users understand
what types of HTML are allowed.

The default setting, as of Joomla! version 1.5.9, is that all users except members of the Super Administrator group
will have "black list" filtering on by default. This is designed to
protect against markup commonly associated with web site attacks. So,
if you do not set any filtering options, the Super Administrator will
have no filtering done, and all other users will have "black list"
filtering done using the default list of filtered items. If you create
a filter here, this overrides the default, and the default filter is no
longer in effect. Only one filter option is allowed per site.

There are two steps to setting up filtering:

  1. Decide on the user groups that will receive filtering. This will
    normally include the highest level group you want to filter and all of
    the groups below that level. For example, if you want to filter
    Publishers and below, this would include Publisher, Editor, Author, and
    Registered.
  2. Enter the type and extent of the desired filtering.

For example, if you want filtering only for Author, Registered user,
and guests, select "Author", "Registered", and "Public Front End" for
the Filter Groups and then select the desired type of filtering. This
will apply to members of the Author, Registered and public groups but
not to "higher" groups, such as Editors, Publishers, and so on.

The default filtering is overridden by entering in the following fields:

  • Filter Groups. This sets the user groups that you want
    filters applied to. Use Ctrl+Click to select multiple groups. Groups
    that are not selected will have no filtering done.

    Important Note: There is a bug, as of version 1.5.8, such that
    you must specify at least two groups for the filtering to take place.
    If you only specify one group, no filtering will happen. This is easy
    to work around. Just be sure to always specify at least two groups here.

  • Filter Type. Black List (Default), White List, No HTML.
    • Black list means allow all HTML tags and attributes except those listed.
    • White list means allow only the listed tags and attributes.
    • No HTML means allow no HTML markup at all. All HTML is removed from an Article when it is saved.
  • Filter Tags. The extra tags to exclude in a Black List, or the only tags to allow in a White List.
  • Filter Attributes. The extra tag attributes to exclude in a Black List, or the only tag attributes to allow in a White List.

Default Filters

The default filter method in Joomla! is ‘Black List’. The default ‘Black List’ contains the following tags to exclude:

‘applet’, ‘body’, ‘bgsound’, ‘base’, ‘basefont’, ’embed’, ‘frame’,
‘frameset’, ‘head’, ‘html’, ‘id’, ‘iframe’, ‘ilayer’, ‘layer’, ‘link’,
‘meta’, ‘name’, ‘object’, ‘script’, ‘style’, ‘title’, ‘xml’

The default ‘Black List’ contains the following attributes to exclude:

‘action’, ‘background’, ‘codebase’, ‘dynsrc’, ‘lowsrc’

You can ‘Black List’ (disallow) additional tags and attributes by
adding to the Filter tags and Filter attributes fields, separating each
tag or attribute name with a space or comma. If you select a Filter
Type of "Black List", this list will always be used, plus any
additional tags and attributes you add.

Please note that these settings work regardless of the editor that
you are using. Even if you are using a WYSIWYG editor, the filtering
settings may strip additional tags and attributes prior to saving
information in the database.

Filter Examples

Example One:

To allow people in your Author group to only submit content with basic HTML tags, use the following settings:

  • In the Filter groups box, select Registered and Author.
  • Select White List as the Filter type
  • Set the Filter tags to: p, b, i, em, br, a, ul, ol, li, img
  • Set the Filter attributes to: href, target, src

In this example, no filtering will be done for members of the
Editor, Publisher, Manager, Administrator, and Super Administrator
groups.

Example Two:

To apply the default black-list filtering to all groups except for Admin and Super Admin, use the following settings:

  • In the Filter groups box, select all groups except Admin and Super Admin.
  • Select Black List as the Filter type.
  • Leave the Filter Tags and Filter attributes fields empty.

In this example, no filtering will be done for members of the Administrator and Super Administrator groups.

Example Three:

If you allow others you do not know (and therefore have no reason to
trust) to submit articles on your Joomla! Web site, the safest (and
most restrictive) filtering is as follows:

  • In the Site → Global Configuration → System, set "New Registration Type" to "Author".
  • In the Filter groups box, select Registered and Author.
  • In the Filter Type, select "No html".

This will not allow an author to use any HTML inside an article’s
content. In this example, no filtering will be done for members of the
Editor, Publisher, Manager, Administrator, and Super Administrator
groups.

The information quoted is available under the Joomla! EDL.

Right now, I am not so sure I am a fan of this feature. On my sites (where I don’t have user content) I select registered and author (need 2 because of the bug mentioned) and then blacklist.

This allows me to work unhindered.

Filed Under: Uncategorized

The Skinny

I am an entrepreneur, web consultant, author and educator.

I have been involved in starting a K-12 School District, a Private High School, and three web tech companies. I also wrote one of the original and best selling books on Joomla.

And I like sailing with kids.

Recent Posts

  • Teenager Invents New Type of Hunting Camo Suit
  • A Parent’s Guide to Proficiency Based Learning
  • Proficiency/Competency Based Learning in NGSS Classrooms
  • Hunting Camouflage Website Launched
  • Get More Email Newsletter Signups With These Easy Tips
  • Proficiency Based Learning Resources
  • Social Media Redux
  • How to turn off WordPress Comments if you use Disqus
  • The API was Yesterday. The Tomorrow is iPaaS
  • Left Hook Digital Named Zapier’s First Integration Developer Partner

Top Posts

  • Gear Review: Mantus Chain Hook

Blogroll

See3D Camo

Blaze Orange Camo

Vermont CPR

Copyright © 2023 Compass Designs · Musings on Education, Life, Joomla and the Web by Barrie North