function acquia_spi_security_review_check_input_formats in Acquia Connector 7.2
Same name and namespace in other branches
- 6.2 acquia_spi/security_review.inc \acquia_spi_security_review_check_input_formats()
- 7.3 acquia_spi/security_review.inc \acquia_spi_security_review_check_input_formats()
Check for formats that either do not have HTML filter that can be used by untrusted users, or if they do check if unsafe tags are allowed.
1 string reference to 'acquia_spi_security_review_check_input_formats'
- _acquia_spi_security_review_security_checks in acquia_spi/
security_review.inc - Checks for acquia_spi_security_review_get_checks().
File
- acquia_spi/
security_review.inc, line 249 - Stand-alone security checks and review system.
Code
function acquia_spi_security_review_check_input_formats() {
$result = TRUE;
$formats = filter_formats();
$check_result_value = array();
// Check formats that are accessible by untrusted users.
$untrusted_roles = acquia_spi_security_review_untrusted_roles();
$untrusted_roles = array_keys($untrusted_roles);
foreach ($formats as $id => $format) {
$format_roles = filter_get_roles_by_format($format);
$intersect = array_intersect(array_keys($format_roles), $untrusted_roles);
if (!empty($intersect)) {
// Untrusted users can use this format.
$filters = filter_list_format($format->format);
// Check format for enabled HTML filter.
if (in_array('filter_html', array_keys($filters)) && $filters['filter_html']->status) {
$filter = $filters['filter_html'];
// Check for unsafe tags in allowed tags.
$allowed_tags = $filter->settings['allowed_html'];
$unsafe_tags = acquia_spi_security_review_unsafe_tags();
foreach ($unsafe_tags as $tag) {
if (strpos($allowed_tags, '<' . $tag . '>') !== FALSE) {
// Found an unsafe tag
$check_result_value['tags'][$id] = $tag;
}
}
}
elseif (!in_array('filter_html_escape', array_keys($filters)) || !$filters['filter_html_escape']->status) {
// Format is usable by untrusted users but does not contain the HTML Filter or the HTML escape.
$check_result_value['formats'][$id] = $format;
}
}
}
if (!empty($check_result_value)) {
$result = FALSE;
}
return array(
'result' => $result,
'value' => $check_result_value,
);
}