Filtering Options (HTML)
Web sites can be attacked by users entering in special HTML code.
Filtering is a way to protect your Joomla! web site. Joomla! 1.5 brings
new filtering options to give you more control over the HTML that your
content providers are allowed to submit. You can be as strict or as
liberal as you desire, depending on your site’s needs.It is important to understand that filtering occurs at the time an article is saved, after
it has been written or edited. Depending on your editor and filter
settings, it is possible for a user to add HTML to an article during
the edit session only to have that HTML removed from the article when
it is saved. This can sometimes cause confusion or frustration. If you
have filtering set up on your site, make sure your users understand
what types of HTML are allowed.The default setting, as of Joomla! version 1.5.9, is that all users except members of the Super Administrator group
will have "black list" filtering on by default. This is designed to
protect against markup commonly associated with web site attacks. So,
if you do not set any filtering options, the Super Administrator will
have no filtering done, and all other users will have "black list"
filtering done using the default list of filtered items. If you create
a filter here, this overrides the default, and the default filter is no
longer in effect. Only one filter option is allowed per site.There are two steps to setting up filtering:
- Decide on the user groups that will receive filtering. This will
normally include the highest level group you want to filter and all of
the groups below that level. For example, if you want to filter
Publishers and below, this would include Publisher, Editor, Author, and
Registered.- Enter the type and extent of the desired filtering.
For example, if you want filtering only for Author, Registered user,
and guests, select "Author", "Registered", and "Public Front End" for
the Filter Groups and then select the desired type of filtering. This
will apply to members of the Author, Registered and public groups but
not to "higher" groups, such as Editors, Publishers, and so on.The default filtering is overridden by entering in the following fields:
- Filter Groups. This sets the user groups that you want
filters applied to. Use Ctrl+Click to select multiple groups. Groups
that are not selected will have no filtering done.Important Note: There is a bug, as of version 1.5.8, such that
you must specify at least two groups for the filtering to take place.
If you only specify one group, no filtering will happen. This is easy
to work around. Just be sure to always specify at least two groups here.- Filter Type. Black List (Default), White List, No HTML.
- Black list means allow all HTML tags and attributes except those listed.
- White list means allow only the listed tags and attributes.
- No HTML means allow no HTML markup at all. All HTML is removed from an Article when it is saved.
- Filter Tags. The extra tags to exclude in a Black List, or the only tags to allow in a White List.
- Filter Attributes. The extra tag attributes to exclude in a Black List, or the only tag attributes to allow in a White List.
Default Filters
The default filter method in Joomla! is ‘Black List’. The default ‘Black List’ contains the following tags to exclude:
- ‘applet’, ‘body’, ‘bgsound’, ‘base’, ‘basefont’, ’embed’, ‘frame’,
‘frameset’, ‘head’, ‘html’, ‘id’, ‘iframe’, ‘ilayer’, ‘layer’, ‘link’,
‘meta’, ‘name’, ‘object’, ‘script’, ‘style’, ‘title’, ‘xml’The default ‘Black List’ contains the following attributes to exclude:
- ‘action’, ‘background’, ‘codebase’, ‘dynsrc’, ‘lowsrc’
You can ‘Black List’ (disallow) additional tags and attributes by
adding to the Filter tags and Filter attributes fields, separating each
tag or attribute name with a space or comma. If you select a Filter
Type of "Black List", this list will always be used, plus any
additional tags and attributes you add.Please note that these settings work regardless of the editor that
you are using. Even if you are using a WYSIWYG editor, the filtering
settings may strip additional tags and attributes prior to saving
information in the database.Filter Examples
Example One:
To allow people in your Author group to only submit content with basic HTML tags, use the following settings:
- In the Filter groups box, select Registered and Author.
- Select White List as the Filter type
- Set the Filter tags to: p, b, i, em, br, a, ul, ol, li, img
- Set the Filter attributes to: href, target, src
In this example, no filtering will be done for members of the
Editor, Publisher, Manager, Administrator, and Super Administrator
groups.Example Two:
To apply the default black-list filtering to all groups except for Admin and Super Admin, use the following settings:
- In the Filter groups box, select all groups except Admin and Super Admin.
- Select Black List as the Filter type.
- Leave the Filter Tags and Filter attributes fields empty.
In this example, no filtering will be done for members of the Administrator and Super Administrator groups.
Example Three:
If you allow others you do not know (and therefore have no reason to
trust) to submit articles on your Joomla! Web site, the safest (and
most restrictive) filtering is as follows:
- In the Site → Global Configuration → System, set "New Registration Type" to "Author".
- In the Filter groups box, select Registered and Author.
- In the Filter Type, select "No html".
This will not allow an author to use any HTML inside an article’s
content. In this example, no filtering will be done for members of the
Editor, Publisher, Manager, Administrator, and Super Administrator
groups.
The information quoted is available under the Joomla! EDL.
Right now, I am not so sure I am a fan of this feature. On my sites (where I don’t have user content) I select registered and author (need 2 because of the bug mentioned) and then blacklist.
This allows me to work unhindered.