You are here

Home » API reference » Security Review 7 » security_review.inc

function security_review_check_input_formats in Security Review 7

Same name and namespace in other branches
  1. 6 security_review.inc \security_review_check_input_formats()

Check for formats that either do not have HTML filter that can be used by untrusted users, or if they do check if unsafe tags are allowed.

1 call to security_review_check_input_formats()
SecurityReviewTestCase::testCheckResults in tests/security_review.test
1 string reference to 'security_review_check_input_formats'
_security_review_security_checks in ./security_review.inc
Core Security Review's checks.

File

./security_review.inc, line 298
Stand-alone security checks and review system.

Code

function security_review_check_input_formats() {
  $result = TRUE;
  $formats = filter_formats();
  $check_result_value = array();

  // Check formats that are accessible by untrusted users.
  $untrusted_roles = security_review_untrusted_roles();
  $untrusted_roles = array_keys($untrusted_roles);
  foreach ($formats as $id => $format) {
    $format_roles = filter_get_roles_by_format($format);
    $intersect = array_intersect(array_keys($format_roles), $untrusted_roles);
    if (!empty($intersect)) {

      // Untrusted users can use this format.
      $filters = filter_list_format($format->format);

      // Check format for enabled HTML filter.
      if (in_array('filter_html', array_keys($filters)) && $filters['filter_html']->status) {
        $filter = $filters['filter_html'];

        // Check for unsafe tags in allowed tags.
        $allowed_tags = $filter->settings['allowed_html'];
        $unsafe_tags = security_review_unsafe_tags();
        drupal_alter('security_review_unsafe_tags', $unsafe_tags);
        foreach ($unsafe_tags as $tag) {
          if (strpos($allowed_tags, '<' . $tag . '>') !== FALSE) {

            // Found an unsafe tag
            $check_result_value['tags'][$id] = $tag;
          }
        }
      }
      elseif (!in_array('filter_html_escape', array_keys($filters)) || !$filters['filter_html_escape']->status) {

        // Format is usable by untrusted users but does not contain the HTML Filter or the HTML escape.
        $check_result_value['formats'][$id] = $format;
      }
    }
  }
  if (!empty($check_result_value)) {
    $result = FALSE;
  }
  return array(
    'result' => $result,
    'value' => $check_result_value,
  );
}