You are here

Home » API reference » Security Review 7 » security_review.help.inc

function security_review_check_field_help in Security Review 7

File

./security_review.help.inc, line 248
Main help definition.

Code

function security_review_check_field_help($check = NULL, $skipped_message = NULL) {
  $element['title'] = t('Dangerous tags in content');
  $element['descriptions'][] = t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents or add the hash of the content to the security_review_known_risky_fields system variable (see the README.txt for more information).');
  if (!empty($skipped_message)) {
    $element['findings']['descriptions'][] = $skipped_message;
  }
  elseif ($check && $check['result'] == FALSE) {
    $element['findings']['descriptions'][] = t('The following items potentially have dangerous tags.  ');
    foreach ($check['value'] as $entity_type => $value) {
      $ids = array_keys($value);
      $entity_info = entity_get_info($entity_type);
      $id = $entity_info['entity keys']['id'];
      $label = isset($entity_info['entity keys']['label']) ? $entity_info['entity keys']['label'] : $id;
      $uri_callback = FALSE;
      if (isset($entity_info['uri callback'])) {
        $uri_callback = $entity_info['uri callback'];
      }

      // There is no access checking. We state that the use of this module should be granted to trusted users only.
      $entities = entity_load($entity_type, $ids);
      foreach ($entities as $entity) {
        $uri = '#';
        if ($uri_callback && function_exists($uri_callback)) {
          $uri = $uri_callback($entity);
          $uri = url($uri['path'] . '/edit');

          // @todo can this assumption be made?
        }
        $html = t('@description found in @field field of <a href="!link">@title</a> (content hash: %hash).', array(
          '@field' => $value[$entity->{$id}]['field'],
          '@description' => $value[$entity->{$id}]['type'],
          '!link' => $uri,
          '@title' => $entity->{$label},
          '%hash' => $value[$entity->{$id}]['hash'],
        ));
        $element['findings']['items'][] = array(
          'html' => $html,
          'safe' => t('@description in @field field of !url', array(
            '@field' => $value[$entity->{$id}]['field'],
            '@description' => $value[$entity->{$id}]['type'],
            '!url' => $uri,
          )),
          'raw' => $value[$entity->{$id}]['field'] . ':' . $uri,
        );
      }
    }

    //$element['findings']['pager'] = theme('pager', array('tags' => NULL));
  }
  return $element;
}