Taking care your "Input Formats"

Regardless which CMS you are using, taking care of your HTML input is critical for security reasons especially if you allow user participation in your websites. As stated in http://www.drupal.my/node/294 I really hope Drupal sites in Malaysia will not be in the radar ...well at least we should take precaution.

So what is HTML input? Whenever you have form, we are talking about HTML input especially HTML text area.

The rules of thumb is, never trust your users. Secondly, never give FULL HTML to everyone! For example above, I have the options because I am admin, so I can choose either one. For normal authenticated user, they should not have the option. 

Many mistake I have seen was setting Full HTML as the default. Yeah I know, it's troublesome to use full HTML if you have to click at the input format, sometimes you have forgotten and the output is not as we expected. Use "Better format" module so it give default input format for admin. IN Drupal.my we set default "Full HTML" for admin, moderator, translator. Still keep "Filtered HTML" for authenticated user. Sorry guys .. that's just the way it is ...and likewise, you should practice on your site.

Why Full HTML is no good for anybody? This is a place when unethical user might put javascript or CSS to do nasty thing such as cross-site-scripting (XSS) from the form. Filtered HTML does filtering bad stuff, and only allowing certain HTML tag such as :

• Web page addresses and e-mail addresses turn into links automatically.
• Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
• Lines and paragraphs break automatically.

Najibx - xWeb
Drupal Acquia partner in Malaysia