New Feature: Playlist Center! Pick a topic and let our playlists guide the way.

Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Using input filters

From: Drupal 6 Essential Training

Video: Using input filters

One way that vandals attack Internet- based systems is through a trick called code injection. They find places where the system's designer has allowed the outside world to provide input and then put programming code there, instead of entering information in a format that the developer expected at the least. Such tricks can lead to ugly posts. At most, they can lead to the attacker completely destroying or gaining control of your site. In Drupal, you have control over the sort of information users can enter into posts and comments through a system of input filters. Drupal includes three such filters, two of which are turned on by default and you can add your own as you like.

Using input filters

One way that vandals attack Internet- based systems is through a trick called code injection. They find places where the system's designer has allowed the outside world to provide input and then put programming code there, instead of entering information in a format that the developer expected at the least. Such tricks can lead to ugly posts. At most, they can lead to the attacker completely destroying or gaining control of your site. In Drupal, you have control over the sort of information users can enter into posts and comments through a system of input filters. Drupal includes three such filters, two of which are turned on by default and you can add your own as you like.

To understand input filters, first we'll create content as the administrator by clicking on Create content and we'll just say Blog entry. As we scroll down, we'll see a very familiar part where it says Input format. Click on that and you see the two that are included and turned on in Drupal by default, Filtered HTML and Full HTML. I am going to switch now to an ordinary user, Fishy Joe, who is logged in under the Firefox browser. When Fishy Joe creates content, once again, we'll make it a blog entry, he actually doesn't have those options; he is only allowed to enter his content as Filtered HTML. Let's take a look at how that works. We'll switch back to the administrator. To see the input filters that are available, we go back up to Administer and then to Input formats. Here, we see we have options for Filtered HTML and Full HTML. Let's take a look at how Filtered HTML is configured.

You can change the name but you can't change what Roles can use Filtered HTML that's because in Drupal, Filtered HTML is the basic input format allowed and every user is allowed to use it. Going down further, you can see a few options; the HTML corrector corrects faulty and chopped off HTML in postings. So, let's say that somebody who were to enter a bulleted list, but forgot to close the tag, this would correct that. The HTML filter makes Drupal take out some certain tags. It also takes out CSS styles and Java Script events that could hurt your site. The Line break converter turns ordinary text, which has ordinary line breaks in it, into the HTML that Drupal expects, so somebody doesn't have to say,

Finally, the URL filter will turn any sort of URL into a clickable link and again, you can turn these on or off as you like. Continuing down, we see the guidelines that are printed in front of the user whenever they enter using this filter. We'll see more of this in just a moment but for right now, we'll just say Save Configuration. The other filter that's built in is Full HTML. Let's take a quick look at that by clicking on the configure link. In this one, you can choose which Roles are allowed to enter as Full HTML. If you want to allow a particular role to use that filter, you would obviously click on it and then save at the bottom of the screen. If none are clicked then none can use it although, of course, the super user, you as the administrator can use any filter that you like. Continuing down we see that the options are the same as for Filtered HTML except that the HTML filter is turned off as you might imagine. Again, Drupal automatically gives you these formatting guidelines, which are given to the user when they enter in this format.

I am going to go back up and allow authenticated users to enter in Full HTML. Go back down to the bottom, and click on Save Configuration. There is one more filter type that is built into Drupal. It's called PHP. To turn it on, we'll go to Administer, Modules and then down to the PHP module. This is turned off by default because PHP in content can be extremely damaging. If you allow PHP to be entered into content and interpreted by Drupal, it could allow somebody to write malicious PHP that could destroy pages or even take over parts of your site. But we'll go down and we will turn it on, I'll show you how to use it responsibly and click Save Configuration.

Now, let's go back to our Input formats by going up to Administer and back down to Input formats. Now you see we have one more option, PHP code. Let's take a look at some of the options for writing PHP code. Click on Configure, first of all, we are going to make this available to authenticated users, also contributing users even though that group is included in authenticated users. Down here, you'll notice an additional option, PHP evaluator. This is what lets Drupal actually interpret the code that somebody has entered. I am going to turn this off for now for a reason I'll show you in a moment. We'll go down and say, Save Configuration and the Input formats settings have been updated.

Now, let's go back to our ordinary user, Fishy Joe, and see how that affects him. He is logged in the Firefox browser. Let's say, he wants to create content, a blog entry. We'll just call this Test and it's in the Buying category and Body is Test. We continue scrolling down and we see something we didn't see before, Input format. Here, we see we can enter Filtered HTML, Full HTML because we turned that on and PHP code. We'll try PHP code and then we'll go back up here and we'll enter some PHP code just to see what happens. Don't worry if you don't understand this code, we'll show you in a minute what it does. It does something very ugly, not really destructive but something you really don't want somebody to be putting into your site. It's going to be phpinfo() ?>.

Just to make this a little more obnoxious, let's add . That is going to make that Test appear really big and ugly and . Now, let's go down and save it. Ah! We see that big Test, however, we don't see the PHP code. We need to see the code; we neither see the code nor what it does. Now let's go back to the administrator and turn that PHP evaluator back on and then re-look at this. So, we go back to the Safari browser where the administrator is logged in, go back to PHP code to configure, scroll down, turn on the PHP evaluator, scroll down further and save the configuration. Are you ready? It's going to be ugly. We switch over to the Firefox browser and let's reload this page.

Ah! Look at what we have. This is what that phpinfo function does. Let's go back and turn that off because it is really ugly and as you can see, somebody who is allowed to use the PHP filter can actually do quite a bit of damage very easily where at the very least, they can create some very ugly posts. So, we are going to go back and turn that off. We go into PHP code and just remove the roles that are permitted to use PHP code. If you wanted to be extra careful, you would also take off the PHP evaluator if you didn't want, for example, the administrator to be able to do such a thing.

Go down to the bottom and click on Save Configuration. Now, if we go back to that post and refresh, we see once again, it's like that. Not quite so ugly but not really great.

Show transcript

This video is part of

Image for Drupal 6 Essential Training
Drupal 6 Essential Training

66 video lessons · 31212 viewers

Tom Geller
Author

 
Expand all | Collapse all
  1. 4m 38s
    1. Welcome
      50s
    2. Using the example files
      3m 48s
  2. 28m 55s
    1. Drupal is a CMS
      7m 43s
    2. Choosing Drupal
      5m 32s
    3. Checking Drupal's requirements
      4m 26s
    4. Understanding the inner workings of Drupal
      4m 35s
    5. Meeting the Drupal community
      6m 39s
  3. 11m 28s
    1. Learning key terms in Drupal
      5m 20s
    2. Touring Drupal's interface
      6m 8s
  4. 34m 35s
    1. Installing WAMP and Drupal on Windows
      9m 41s
    2. Installing MAMP
      4m 34s
    3. Setting up the database on a Mac
      2m 2s
    4. Downloading and installing Drupal on a Mac
      6m 37s
    5. Troubleshooting installation problems
      3m 49s
    6. Automating updates with cron
      7m 52s
  5. 25m 37s
    1. Setting up clean URLs
      5m 52s
    2. Backing up your Drupal site
      3m 31s
    3. Restoring your Drupal site from backup
      4m 19s
    4. Wiping your Drupal installation clean
      2m 7s
    5. Updating Drupal
      9m 48s
  6. 15m 37s
    1. Using the Administration menu
      6m 21s
    2. Setting site information
      4m 50s
    3. Setting the theme
      4m 26s
  7. 35m 8s
    1. Understanding security and permissions
      7m 2s
    2. Controlling site access with user management
      3m 39s
    3. Creating users
      7m 58s
    4. Setting user profiles
      9m 40s
    5. Creating contact forms
      6m 49s
  8. 19m 19s
    1. Creating your site's basic info pages
      7m 13s
    2. Understanding page layout
      5m 40s
    3. Creating a flexible layout with blocks
      6m 26s
  9. 15m 35s
    1. Monitoring performance
      4m 52s
    2. Recovering from disasters
      7m 37s
    3. Improving administration skills
      3m 6s
  10. 41m 3s
    1. Understanding nodes
      6m 50s
    2. Creating basic content: Stories and pages
      7m 9s
    3. Enabling other content types
      9m 22s
    4. Adding blogs
      3m 49s
    5. Adding forums
      6m 56s
    6. Adding polls
      6m 57s
  11. 34m 50s
    1. Exploring content categories
      7m 45s
    2. Exchanging content via RSS
      9m 47s
    3. Using input filters
      7m 41s
    4. Managing comments
      9m 37s
  12. 38m 5s
    1. Configuring your theme
      11m 27s
    2. Changing your theme's graphics
      4m 59s
    3. Finding and installing a new theme
      8m 56s
    4. Understanding Cascading Style Sheets (CSS)
      5m 56s
    5. Deciphering CSS files
      6m 47s
  13. 22m 41s
    1. Finding modules
      6m 53s
    2. Unpacking and installing modules
      6m 30s
    3. Configuring modules
      3m 50s
    4. Implementing complex modules
      5m 28s
  14. 32m 12s
    1. Ensuring automated updates with poormanscron
      3m 11s
    2. Defining custom content types with CCK
      12m 54s
    3. Stopping spam using a CAPTCHA
      10m 43s
    4. Using a WYSIWYG text editor
      5m 24s
  15. 22m 18s
    1. Getting around with multilevel menus
      7m 26s
    2. Building custom menus
      5m 42s
    3. Creating easy-to-navigate books
      9m 10s
  16. 20m 19s
    1. Changing page templates with PHP
      8m 15s
    2. Using PHP in content
      5m 20s
    3. Implementing PHP snippets
      6m 44s
  17. 10m 15s
    1. Launching your site
      5m 52s
    2. Joining the Drupal community
      4m 23s
  18. 14s
    1. Goodbye
      14s

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold

Are you sure you want to delete this note?

No

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.