Text formats

Drupal’s Text Formats system provides a way to create tiers of rich-text content entry ability. Text formats can be managed at Configuration > Content Formatting > Text formats and editors (/admin/config/content/formats).

Contents

Note

If you need more control over the look and feel, and are comfortable with HTML input, you can enter HTML directly by clicking the Source button in the toolbar. However, to prevent the injection of malicious code, most text formats limit which tags are allowed, as described below.

Flex HTML

For developers

The Flex HTML text format is provided and managed by ITS and should not be configured. If you have a similar use case, create a new text format filter. When creating a new text format, it’s always best to keep input format settings as secure as possible. Select the least amount of functionality possible for each role, and use the “Limit HTML tags” filter whenever possible.

The “Flex HTML” toolbar contains standard formatting options, the ability create headings, links, lists, and media (images and videos).

A screenshot of Flex HTML toolbar

“Flex HTML” includes filters which:

  • limit allowed HTML tags and correct faulty HTML

  • automatically convert URLs into links

  • align and caption images

  • apply responsive behavior to HTML tables

  • support Embedding Qualtrics forms with a shortcode

  • allow media to be embedded

For security reasons, some HTML tags are not allowed in Flex HTML:

HTML Code

Notes

<embed>

Typically used for embedding videos. The ability to embed various types of media simply by adding a URL is in the roadmap, but not yet supported.

<form>

It is recommended to use a campus service such as Qualtrics for providing user facing forms.

<iframe>

Typically used for embedding videos. The ability to embed various types of media simply by adding a URL is in the roadmap, but not yet supported.

<object>

Typically used for embedding videos. The ability to embed various types of media simply by adding a URL is in the roadmap, but not yet supported.

<param>

Typically used for embedding videos. The ability to embed various types of media simply by adding a URL is in the roadmap, but not yet supported.

<select>

This tag is generally used within a <form> tag to provide a drop-down list for user selection. It is recommended to use a campus service such as Qualtrics for providing user-facing forms.

<script>

The <script> tag can be abused to insert malicious code. JavaScript should instead be added within website code.

<style>

To maintain branding consistency, the <style> tag is disallowed.

<svg>

Scalable Vector Graphics can contain arbitrary JavaScript, and therefore pose a security vulnerability.

<textarea>

This tag is generally used within a <form> tag to define a multi-line text input field. It is recommended to use a campus service such as Qualtrics for providing user-facing forms.

Basic HTML

“Basic HTML” is a more limited text format that is provided by the Drupal framework, and is included as a courtesy for site consistency. Generally speaking, the “Flex HTML” format is more tailored to rich text content editing, and should therefore be preferred over “Basic HTML.”

“Basic HTML” includes filters which:

  • limit allowed HTML tags and correct faulty HTML

  • align and caption images

Restricted HTML

For situations where content editors should be able to add some HTML, but do not need access to a rich text toolbar, “Restricted HTML,” is a good option.

Full HTML

The “Full HTML” text format’s toolbar and filters are identical to the “Flex HTML” text format, but does not restrict any HTML markup. This differs from a generic Drupal installation, where the Full HTML text format does not include media library integration or advanced text format filters.

Because it allows all HTML tags, “Full HTML” can be used for third party content. See Other embeds that require <script> or <iframe> tags.

Access to the “Full HTML” text format should be granted with caution. It allows adding any arbitrary HTML, which creates the possibility for both divergent styling and security risks.