HomeEngagementContentDiscoveryOther Resources

The contents of HTML fields can be cleaned both on _client-side_ and the _server-side_.

## Client-side

Client-side HTML cleaning is done by CKEditor itself. This feature is called [Advanced Content Filter (ACF)](🔗). Each plugin and command added to or removed from CKEditor influences the allowed HTML. For example, when there is no plugin to add an image, <img> tags will be removed automatically. This filtering also applies to attributes, which can, for instance, be allowed or required.

ACF can also be controlled per editor instance via the configuration property [extraAllowedContent](🔗). Note that `extraAllowedContent` must be specified in [JSON object format](🔗). For example:


More information on ACF and how to configure it can be found at the [CKEditor documentation website](🔗).
### Disable client-side HTML cleaning
ACF is enabled by default. To disable ACF, set the CKEditor property [allowedContent](🔗) to true:
[ckeditor.config.overlayed.json](🔗):

## Server-side
Server-side HTML cleaning is done by an _HTML-processor_. The HTML-processor checks, cleans, and corrects the output of rich-text fields, as well as management of internal links and images. The configuration of the HTML-processor works on the basis of an allowlist that defines which elements are allowed and the attributes they may contain. If an attribute is not configured as allowed, it is stripped from the output (text nodes from elements are preserved).
By default, server-side HTML cleaning also removes any usage of the `javascript:` protocol and the `data:` protocol all `<a>`  and `<object>` attributes.
### Configuration
A CKEditor field is configured with an HTML-processor by setting the configuration property [htmlprocessor.id](🔗).
The following HTML-processor configurations are available:
  1. `formatted`: contains an allowlist of elements used in Formatted fields.
  2. `richtext`: contains an allowlist of elements used in Rich Text fields and manages internal links and images.
  3. `no-filter`: contains an empty allowlist but does manage internal links and images when applied to Rich Text fields.
### Disable server-side HTML cleaning
Change the configuration property [htmlprocessor.id](🔗) to `no-filter`.