Posted by coltrane on November 19, 2012 at 5:36pm
Hi,
As part of an effort to expand Drupal-specific static code analysis tests for vulnerabilities underway in Coder 7.x-2.x (http://drupal.org/node/1844870) I am curious of common errors made by developers that open up exploits. What problems are easy to make (and discover) that we can 1) write automated checks for and 2) get those corrected for newer major versions of Drupal core.
For example, in Drupal 6 drupal_set_title() set the contents of the h1 tag without sanitizing the argument, and developers commonly passed it the raw node title, opening up an XSS exploit. Drupal 7 sanitizes the input for drupal_set_title() by default.
What common mistakes have you seen in Drupal 6 and 7?
Comments
a few
Drupal 6
Drupal 6 and Drupal 7
+1 for "printing unsafe
+1 for "printing unsafe properties of node object" it's very easy to shoot yourself in the foot with something like this:
function mytheme_preprocess_node($vars) {
$field = field_get_items('node', $vars['node'], 'field_xss');
$unfiltered_output = $field[0]['value'];
print $unfiltered_output;
}
I wish the fields were called "unsafe value" and "value", rather than "value" and "safe_value" :)
--
@daniel_nitsche