Drupal Secure Coding

https://events.drupal.org/dublin2016/sessions/cracking-drupal

Insecure code is buggy code

One man's bug is another man's hack

Code

$username = 'hacker">LOL <img alt="';

print '<a title="' . $username . '">Not funny</a>';

Output

<a title="hacker">LOL<img alt="">Not funny</a>

Rule of Thumb

• Avoid using db_query
• Don't use eval()
• Avoid using $_GET $_POST, especially in custom code
• Use t() function properly
• Try to use theme functions as much as possible, but...
• Be weary of unsanitized theme functions and properties (#markup, #prefix/suffix, #description, etc)
• Other wise know your sanitation functions
• Double sanitation is a female dog

t() Function

• check_plain() - kills (escapes) any html
• check_markup() - allows limited html (a, strong, br, etc)
• filter_xss - allows all markup but inline js and css

Sanitation functions

• Use string parameters
  • ! for evil unsanitized strings (if you must use html)
  • @ for sanitized strings (also %)
• Good: t('Name from db: @name', array('@name' => $name);
• Bad: t('Name from db: !name' . array('!name' => '<div>'.$name.'</div>'));
• OK: t('Name from db: !name' . array('!name' => '<div>'.check_plain($name).'</div>'));
• ! parameter removed in D8