Input Formats


One of the biggest sources of confusion for new users surrounds the use of input formats.

Input formats are a necessary security feature on a dynamic website - especially one that allows interaction from an external audience.

A dynamic website can use a variety of different code languages.  At the base of all the code languages is HTML, which is the language of the web.  For Drupal, PHP is a main language as well.  PHP is a dynamic scripting language that provides the ability to create and display real time changes on your site.  Drupal has been built using this language.  Other code languages, such as javascript, might be present as well.

While these different types of code are used to create really cool things on your site, they can also be used maliciously if the wrong people are allowed to use them.  Even Cascading Style Sheets (CSS), which isn't a language at all, but a set of style specifications, can be used as a vehicle to damage or take over your site.

Input formats are a way to control what kind of user is allowed to use specific types of code, or "input", in the Tiny MCE text editor.

There are three different input formats defined on your OSU Drupal 6 site:

  • Filtered HTML
    • Default input format that every role can use.  Strips all but the most essential HTML code out of text entries entered into the text editor. A rich text editor is provided here.
  • Full HTML
    • Available to Authors, Advanced Authors, and Administrators. Allows the inclusion of inline CSS styles, which help with formatting content. A rich text editor is provided here.
  • PHP
    • Available to Advanced Authors and Administrators.  Allows the use of PHP and other complex code.  No rich text editor is provided here.

To allow interaction from anonymous users, such as providing them the ability to submit Webforms, a default input format must be supplied that all users, including the anonymous ones, can use.  Anonymous users can only use Filtered HTML.  Allowing anonymous users access to any of the other input formats is dangerous, as you don't know who is on the other end and what they are injecting into your site via the text editor.

Authors can use both Filtered HTML and Full HTML.  This allows authors on the site the ability to add inline CSS styles to their content to do things such as embedding an image and having the text float up around the image.  Keeping this in mind, one of the first things to look at if your embedded images or video players aren't acting the way you expect them to, check the input format to ensure it's set to Full HTML.  Authors do not even see the PHP option.

Author Input Formats
author level input formats: Filtered HTML option and Full HTML option, Full HTML is checked

Advanced Authors and Administrators can use all input formats.  This is where the assignment of roles on a site is very important.  If you have an Advanced Author or Administrator who does not know how to write code, they should be strongly discouraged from experimenting on a production site as different types of code, when used incorrectly, can completely destroy your site.

Advanced Author and Administrator Input Formats
advanced author and admin input format options: filtered html, full html (checked), and php

So now that we understand a little bit about input formats, let's move on to some specifics about using the text editor...