Drupal text filtering decision cheat sheet
This flowchart is based on the one that Heine Deelstra presented at Drupalcon Paris.
I'm hopeful that the presentation will be helpful in eliminating Drupal's most common security issue!
Attachment | Size |
---|---|
filtering_text.pdf | 55.82 KB |
Comments
Filter Preprocess variables?
Great webinar today!
You mentioned something we do pretty often, which is preprocess a block, page, node, view, etc. and recondition them to nicer variables so that our themers can work with 'cleaner' tpl files.
If I'm reassigning a variable in a preprocess for a view, do I need to filter that? The data is user-generated code from a cck field, so I'm guessing 'yes'.
Example: I have a custom theme named 'alice' and a preprocess for a view called 'front page feature' in the block format. Do I need to wrap each one in filter_xss()?
function alice_preprocess_views_view__front_page_feature__block(&$variables) {
//make nicer variables from view object to variables array
$variables['img'] = $variables['view']->field['field_frontpage_image_fid']->original_value;
$variables['type'] = $variables['view']->field['type']->original_value;
$variables['title'] = $variables['view']->field['title']->original_value;
}
give it a shot
Given that you're reading it in from the existing $variables it's probably not necessary to add more filtering, but I think it's always better to try it out than just assume one way or the other.
Try adding an appropriate filter function (you can use the filter cheatsheet to decide which one to use) onto these variables. You should know pretty quickly if you end up with "double escaped" values or if things work properly. Use things like quotes, or an ampersand to test for double escaping.
You can also enter basic javascript into the field and see if it passes through or gets escaped - sometimes field validation will prevent adding that text so you should just add it directly to the database.
Great Graph!
That's a fantastic graph. XSS errors are far to easy to introduce into the workflow, but I've never seen such a clear/concise representation to present to users about how the content should be filtered for output. This is great.
thanks!
I'm glad you like it. Remember that the inspiration came from Heine's presentation at Drupalcon Paris. You can watch the whole thing at http://www.archive.org/details/Keepyourcodesafe-Tipsfromthesecurityteam