You are here

Home » API reference » Acquia Connector 8 » SecurityReviewController.php » SecurityReviewController

private function SecurityReviewController::checkInputFormats in Acquia Connector 8

Same name and namespace in other branches
  1. 8.2 src/Controller/SecurityReviewController.php \Drupal\acquia_connector\Controller\SecurityReviewController::checkInputFormats()
  2. 3.x src/Controller/SecurityReviewController.php \Drupal\acquia_connector\Controller\SecurityReviewController::checkInputFormats()

Check input formats of unsafe tags.

Check for formats that either do not have HTML filter that can be used by untrusted users, or if they do check if unsafe tags are allowed.

Return value

array Result.

Throws

\Drupal\Component\Plugin\Exception\InvalidPluginDefinitionException

\Drupal\Component\Plugin\Exception\PluginNotFoundException

File

src/Controller/SecurityReviewController.php, line 412

Class

SecurityReviewController
Acquia Security Review page.

Namespace

Drupal\acquia_connector\Controller

Code

private function checkInputFormats() {
  $result = TRUE;

  /** @var \Drupal\filter\FilterFormatInterface[] $formats */
  $formats = $this
    ->entityTypeManager()
    ->getStorage('filter_format')
    ->loadByProperties([
    'status' => TRUE,
  ]);
  $check_result_value = [];

  // Check formats that are accessible by untrusted users.
  // $untrusted_roles = acquia_spi_security_review_untrusted_roles();
  $untrusted_roles = $this
    ->untrustedRoles();
  $untrusted_roles = array_keys($untrusted_roles);
  foreach ($formats as $id => $format) {
    $format_roles = filter_get_roles_by_format($format);
    $intersect = array_intersect(array_keys($format_roles), $untrusted_roles);
    if (!empty($intersect)) {
      $filters = $formats[$id]
        ->get('filters');

      // Check format for enabled HTML filter.
      if (in_array('filter_html', array_keys($filters)) && $filters['filter_html']['status'] == 1) {
        $filter = $filters['filter_html'];

        // Check for unsafe tags in allowed tags.
        $allowed_tags = $filter['settings']['allowed_html'];
        $unsafe_tags = $this
          ->unsafeTags();
        foreach ($unsafe_tags as $tag) {
          if (strpos($allowed_tags, '<' . $tag . '>') !== FALSE) {

            // Found an unsafe tag.
            $check_result_value['tags'][$id] = $tag;
          }
        }
      }
      elseif (!in_array('filter_html_escape', array_keys($filters)) || !$filters['filter_html_escape']['status'] == 1) {

        // Format is usable by untrusted users but does not contain
        // the HTML Filter or the HTML escape.
        $check_result_value['formats'][$id] = $format;
      }
    }
  }
  if (!empty($check_result_value)) {
    $result = FALSE;
  }
  return [
    'result' => $result,
    'value' => $check_result_value,
  ];
}