Upgrade Your Drupal Skills
We trained 1,000+ Drupal Developers over the last decade.
See Advanced Courses NAH, I know EnoughSecurity Checklist for Drupal
Less Critical - Cross Site Scripting (XSS)
1. Use strip_tags
- <img src="http://dev-karthikkumardk.pantheonsite.io/Security-Checklist-for-Drupal/... echo $_GET['path']; ?>/doc/images/qb_search_settings.png" width="800" />
+ <img src="http://dev-karthikkumardk.pantheonsite.io/Security-Checklist-for-Drupal/... echo strip_tags($_GET['path']); ?>/doc/images/qb_search_settings.png" width="800" />
2. Use check_markup
- $form[$filter_id]['#bef_term_descriptions'][$tid] = $term->description;
+ $form[$filter_id]['#bef_term_descriptions'][$tid] = check_markup($term->description, $term->format, '', TRUE);
Moderately Critical - Access Bypass
1. Menu to be cached per role http://cgit.drupalcode.org/wetkit_omega/commit/?id=ce4b66dd751b5279dc37…
'expire' => CACHE_TEMPORARY,
- 'granularity' => DRUPAL_CACHE_PER_PAGE, // unset this to cache globally
+ 'granularity' => DRUPAL_CACHE_PER_ROLE, // unset this to cache globally
);
Moderately Critical - Multiple vulnerabilities
1. Use filter_xss
$data = $node_wrapper->{$field}->value();
+ $clean_name = filter_xss($data->name);
- $render = l($data->name, 'node/' . $todo_list_nid,
+ $render = l($clean_name, 'node/' . $todo_list_nid,
About Drupal Sun
Drupal Sun is an Evolving Web project. It allows you to:
- Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
- Facet based on tags, author, or feed
- Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
- View the entire article text inline, or in the context of the site where it was created
See the blog post at Evolving Web