Questions about module programming

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
EdBiancarelli's picture
Posted by EdBiancarelli on March 16, 2015 at 3:40pm

First, sorry if this isn't the right place and way to ask.

I'm developing a new module and have 2 questions about security.

1 - My module has a Config page where only admin (or another user with same rights) has access. Like /admin/config/system/site-information.
In this config, I have some fields that will be showed later in HTML output.
Question: Do I must filter this content against XML injection (filter_xss or filter_xss_admin)? or I can trust this user?

2 - To generate the html output, I have a field with Token. This field itself is already checked against injection, but the content of token (may be the body, title, or any other field fulfilled by user) must be checked too, or I can trust this field are already filtered by system?

Thanks in advance for any directions about it.

Edvaldo

Comments

Do the fields need to have

Posted by greggles on May 7, 2015 at 2:09pm
greggles's picture
  1. Do the fields need to have javascript or iframes or similar in them? If so, then be sure that the config page uses a permission marked with 'restrict access' => TRUE and you don't need to filter them. If they don't need javascript/iframes etc. then it is appropriate to use filter_xss or filter_xss_admin.
  2. When you call token_replace one of the $options to pass is 'sanitize' which defaults to true. As long as you leave that you can trust that filtering has already been done in the preparation of the tokens that will sanitize them for output in an html context.

knaddison blog | Morris Animal Foundation

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.