Drupal Secure Coding

https://events.drupal.org/dublin2016/sessions/cracking-drupal

Insecure code is buggy code

One man's bug is another man's hack

Code

$username = 'hacker">LOL <img alt="';

 

print '<a title="' . $username . '">Not funny</a>';

Output

<a title="hacker">LOL<img alt="">Not funny</a>

Rule of Thumb

  • Avoid using db_query
  • Don't use eval()
  • Avoid using $_GET $_POST, especially in custom code
  • Use t() function properly
  • Try to use theme functions as much as possible, but...
  • Be weary of unsanitized theme functions and properties (#markup, #prefix/suffix, #description, etc)
  • Other wise know your sanitation functions
  • Double sanitation is a female dog

t() Function

  • check_plain() - kills (escapes) any html
  • check_markup() - allows limited html (a, strong, br, etc)
  • filter_xss - allows all markup but inline js and css

Sanitation functions

  • Use string parameters
    • ! for evil unsanitized strings (if you must use html)
    • @ for sanitized strings (also %)
  • Good: t('Name from db: @name', array('@name' => $name);
  • Bad: t('Name from db: !name' . array('!name' => '<div>'.$name.'</div>'));
  • OK: t('Name from db: !name' . array('!name' => '<div>'.check_plain($name).'</div>'));
  • ! parameter removed in D8

Drupal Secure Coding

By dofinity

Made with Slides.com

Drupal Secure Coding

  • 279

More from dofinity