"Cracking Drupal
is probably going to be
the first Drupal book I buy."
- Angie 'webchick' Byron
This flowchart is based on the one that Heine Deelstra presented at Drupalcon Paris.
I'm hopeful that the presentation will be helpful in eliminating Drupal's most common security issue!
| Attachment | Size |
|---|---|
| filtering_text.pdf | 55.82 KB |
Written by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal and how to prevent them from continuing.
Curious about Drupal's security? Consider Drupal but want to make sure it's good enough? Read the Drupal Security Report
If you are concerned about whether your site is secure, consider using the Security Review Module to get a free review of your site's security health. Did it find problems? Consider hiring a security expert from Drupal Scout to audit your site.
Comments
Filter Preprocess variables?
Great webinar today!
You mentioned something we do pretty often, which is preprocess a block, page, node, view, etc. and recondition them to nicer variables so that our themers can work with 'cleaner' tpl files.
If I'm reassigning a variable in a preprocess for a view, do I need to filter that? The data is user-generated code from a cck field, so I'm guessing 'yes'.
Example: I have a custom theme named 'alice' and a preprocess for a view called 'front page feature' in the block format. Do I need to wrap each one in filter_xss()?
function alice_preprocess_views_view__front_page_feature__block(&$variables) {
//make nicer variables from view object to variables array
$variables['img'] = $variables['view']->field['field_frontpage_image_fid']->original_value;
$variables['type'] = $variables['view']->field['type']->original_value;
$variables['title'] = $variables['view']->field['title']->original_value;
}
give it a shot
Given that you're reading it in from the existing $variables it's probably not necessary to add more filtering, but I think it's always better to try it out than just assume one way or the other.
Try adding an appropriate filter function (you can use the filter cheatsheet to decide which one to use) onto these variables. You should know pretty quickly if you end up with "double escaped" values or if things work properly. Use things like quotes, or an ampersand to test for double escaping.
You can also enter basic javascript into the field and see if it passes through or gets escaped - sometimes field validation will prevent adding that text so you should just add it directly to the database.
Great Graph!
That's a fantastic graph. XSS errors are far to easy to introduce into the workflow, but I've never seen such a clear/concise representation to present to users about how the content should be filtered for output. This is great.
thanks!
I'm glad you like it. Remember that the inspiration came from Heine's presentation at Drupalcon Paris. You can watch the whole thing at http://www.archive.org/details/Keepyourcodesafe-Tipsfromthesecurityteam