You are here

Home » API reference » Security Review 6 » security_review.inc

function security_review_check_input_formats in Security Review 6

Same name and namespace in other branches
  1. 7 security_review.inc \security_review_check_input_formats()

Check for formats that do not have HTML filter that can be used by untrusted users.

1 call to security_review_check_input_formats()
security_review_check_input_formats_help in ./security_review.help.inc
1 string reference to 'security_review_check_input_formats'
_security_review_security_checks in ./security_review.inc
Checks for security_review_security_checks() or security_review_get_checks().

File

./security_review.inc, line 288
Stand-alone security checks and review system.

Code

function security_review_check_input_formats() {
  $result = TRUE;
  $formats = filter_formats();
  $check_result_value = array();

  // Check formats that are accessible by untrusted users.
  $untrusted_roles = security_review_untrusted_roles();

  // The default format is usable by all users even if no roles are listed on it.
  $default_format = variable_get('filter_default_format', FILTER_FORMAT_DEFAULT);
  foreach ($formats as $id => $format) {
    $format_roles = array_filter(explode(',', $format->roles));
    if ($format->format == $default_format) {

      // The default format is available to all roles.
      $intersect = drupal_map_assoc(array_keys(user_roles()));
    }
    else {
      $intersect = array_intersect($format_roles, $untrusted_roles);
    }
    if (!empty($intersect)) {

      // Untrusted users can use this format.
      $filters = filter_list_format($format->format);

      // Check format for HTML filter.
      if (in_array('filter/0', array_keys($filters))) {

        // Using HTML Filter, good! Now check allowed tags if the filter is stripping instead of escaping.
        $setting = variable_get("filter_html_" . $format->format, FILTER_HTML_STRIP);
        if ($setting == FILTER_HTML_STRIP) {

          // Check for unsafe tags in allowed tags.
          $allowed_tags = variable_get("allowed_html_" . $format->format, '');
          $unsafe_tags = security_review_unsafe_tags();
          foreach ($unsafe_tags as $tag) {
            if (strpos($allowed_tags, '<' . $tag . '>') !== FALSE) {

              // Found an unsafe tag
              $check_result_value['tags'][$id] = $tag;
            }
          }
        }
      }
      else {

        // Format is usable by untrusted users but does not contain the HTML Filter.
        $check_result_value['formats'][$id] = $format->name;
      }
    }
  }
  if (!empty($check_result_value)) {
    $result = FALSE;
  }
  return array(
    'result' => $result,
    'value' => $check_result_value,
  );
}