You are here

Home » API reference » Acquia Connector 7.3 » security_review.inc

function acquia_spi_security_review_check_input_formats in Acquia Connector 7.3

Same name and namespace in other branches
  1. 6.2 acquia_spi/security_review.inc \acquia_spi_security_review_check_input_formats()
  2. 7.2 acquia_spi/security_review.inc \acquia_spi_security_review_check_input_formats()

Check input formats.

Check for formats that either do not have HTML filter that can be used by untrusted users, or if they do check if unsafe tags are allowed.

1 string reference to 'acquia_spi_security_review_check_input_formats'
_acquia_spi_security_review_security_checks in acquia_spi/security_review.inc
Checks for acquia_spi_security_review_get_checks().

File

acquia_spi/security_review.inc, line 260
Stand-alone security checks and review system.

Code

function acquia_spi_security_review_check_input_formats() {
  $result = TRUE;
  $formats = filter_formats();
  $check_result_value = array();

  // Check formats that are accessible by untrusted users.
  $untrusted_roles = acquia_spi_security_review_untrusted_roles();
  $untrusted_roles = array_keys($untrusted_roles);
  foreach ($formats as $id => $format) {
    $format_roles = filter_get_roles_by_format($format);
    $intersect = array_intersect(array_keys($format_roles), $untrusted_roles);
    if (!empty($intersect)) {

      // Untrusted users can use this format.
      $filters = filter_list_format($format->format);

      // Check format for enabled HTML filter.
      if (in_array('filter_html', array_keys($filters)) && $filters['filter_html']->status) {
        $filter = $filters['filter_html'];

        // Check for unsafe tags in allowed tags.
        $allowed_tags = $filter->settings['allowed_html'];
        $unsafe_tags = acquia_spi_security_review_unsafe_tags();
        foreach ($unsafe_tags as $tag) {
          if (strpos($allowed_tags, '<' . $tag . '>') !== FALSE) {

            // Found an unsafe tag.
            $check_result_value['tags'][$id] = $tag;
          }
        }
      }
      elseif (!in_array('filter_html_escape', array_keys($filters)) || !$filters['filter_html_escape']->status) {

        // Format is usable by untrusted users but does not contain the HTML
        // Filter or the HTML escape.
        $check_result_value['formats'][$id] = $format;
      }
    }
  }
  if (!empty($check_result_value)) {
    $result = FALSE;
  }
  return array(
    'result' => $result,
    'value' => $check_result_value,
  );
}