function security_review_check_input_formats_help in Security Review 7
Same name and namespace in other branches
- 6 security_review.help.inc \security_review_check_input_formats_help()
File
- ./
security_review.help.inc, line 98 - Main help definition.
Code
function security_review_check_input_formats_help($check = NULL, $skipped_message = NULL) {
$element['title'] = t('Allowed HTML tags in text formats');
$element['descriptions'][] = t("Certain HTML tags can allow an attacker to take control of your site. Drupal's input format system makes use of a set filters to run on incoming text. The 'HTML Filter' strips out harmful tags and Javascript events and should be used on all formats accessible by untrusted users.");
$element['descriptions'][] = t("<a href='!link'>Read more about Drupal's input formats in the handbooks.</a>", array(
'!link' => url('http://drupal.org/node/224921'),
));
if ($skipped_message) {
$element['findings']['descriptions'][] = $skipped_message;
}
elseif ($check && $check['result'] == FALSE) {
if (!empty($check['value']['tags'])) {
$element['findings']['descriptions'][] = t('<a href="!link">Review your text formats.</a>', array(
'!link' => url('admin/config/content/formats'),
));
$element['findings']['descriptions'][] = t('It is recommended you remove the following tags from roles accessible by untrusted users.');
foreach ($check['value']['tags'] as $tag) {
$element['findings']['items'][] = array(
'safe' => $tag,
// Tag doesn't need filtering cause it's not user-defined.
'raw' => $tag,
);
}
}
elseif (!empty($check['value']['formats'])) {
$element['findings']['descriptions'][] = t('The following formats are usable by untrusted roles and do not filter or escape allowed HTML tags.');
foreach ($check['value']['formats'] as $id => $format) {
$element['findings']['items'][] = array(
'html' => l($format->name, 'admin/config/content/formats/' . $format->format),
'safe' => check_plain($format->name),
'raw' => $format->name,
);
}
}
}
return $element;
}