public function InputFormats::run in Security Review 8
The actual procedure of carrying out the check.
Return value
\Drupal\security_review\CheckResult The result of running the check.
Overrides Check::run
File
- src/
Checks/ InputFormats.php, line 42
Class
- InputFormats
- Checks for vulnerabilities related to input formats.
Namespace
Drupal\security_review\ChecksCode
public function run() {
// If filter is not enabled return with INFO.
if (!$this
->moduleHandler()
->moduleExists('filter')) {
return $this
->createResult(CheckResult::INFO);
}
$result = CheckResult::SUCCESS;
$findings = [];
$formats = filter_formats();
$untrusted_roles = $this
->security()
->untrustedRoles();
$unsafe_tags = $this
->security()
->unsafeTags();
foreach ($formats as $format) {
$format_roles = array_keys(filter_get_roles_by_format($format));
$intersect = array_intersect($format_roles, $untrusted_roles);
if (!empty($intersect)) {
// Untrusted users can use this format.
// Check format for enabled HTML filter.
$filter_html_enabled = FALSE;
if ($format
->filters()
->has('filter_html')) {
$filter_html_enabled = $format
->filters('filter_html')
->getConfiguration()['status'];
}
$filter_html_escape_enabled = FALSE;
if ($format
->filters()
->has('filter_html_escape')) {
$filter_html_escape_enabled = $format
->filters('filter_html_escape')
->getConfiguration()['status'];
}
if ($filter_html_enabled) {
$filter = $format
->filters('filter_html');
// Check for unsafe tags in allowed tags.
$allowed_tags = array_keys($filter
->getHTMLRestrictions()['allowed']);
foreach (array_intersect($allowed_tags, $unsafe_tags) as $tag) {
// Found an unsafe tag.
$findings['tags'][$format
->id()] = $tag;
}
}
elseif (!$filter_html_escape_enabled) {
// Format is usable by untrusted users but does not contain the HTML
// Filter or the HTML escape.
$findings['formats'][$format
->id()] = $format
->label();
}
}
}
if (!empty($findings)) {
$result = CheckResult::FAIL;
}
return $this
->createResult($result, $findings);
}