You are here

Home » API reference » Security Review 6 » security_review.help.inc

function security_review_check_input_formats_help in Security Review 6

Same name and namespace in other branches
  1. 7 security_review.help.inc \security_review_check_input_formats_help()

File

./security_review.help.inc, line 102
Main help definition.

Code

function security_review_check_input_formats_help($result = NULL) {
  $element['title'] = t('Allowed HTML tags in input formats');
  $element['descriptions'][] = t("Certain HTML tags can allow an attacker to take control of your site. Drupal's input format system makes use of a set filters to run on incoming text. The 'HTML Filter' strips out harmful tags and Javascript events and should be used on all formats accessible by untrusted users.");
  $element['descriptions'][] = t("<a href='!link'>Read more about Drupal's input formats in the handbooks.</a>", array(
    '!link' => url('http://drupal.org/node/224921'),
  ));
  $last_check = security_review_get_last_check('security_review', 'input_formats');
  if ($last_check['skip'] == '1') {
    $element['findings']['descriptions'][] = _security_review_check_skipped($last_check);
  }
  elseif ($last_check['result'] == '0') {
    if (is_null($result)) {
      $result = security_review_check_input_formats();
    }
    if (!empty($result['value']['tags'])) {
      $element['findings']['descriptions'][] = t('<a href="!link">Review your input formats.</a>', array(
        '!link' => url('admin/settings/filters'),
      ));
      $element['findings']['descriptions'][] = t('It is recommended you remove the following tags from roles accessible by untrusted users.');
      foreach ($result['value']['tags'] as $tag) {
        $element['findings']['items'][] = array(
          'safe' => $tag,
          // Tag doesn't need filtering cause it's not user-defined.
          'raw' => $tag,
        );
      }
    }
    elseif (!empty($result['value']['formats'])) {
      $element['findings']['descriptions'][] = t('The following formats are usable by untrusted roles and do not filter allowed HTML tags. The default filter will have all roles checked.');
      foreach ($result['value']['formats'] as $id => $name) {
        $element['findings']['items'][] = array(
          'html' => l($name, 'admin/settings/filters/' . $id),
          'safe' => check_plain($name),
          'raw' => $name,
        );
      }
    }
  }
  return $element;
}