Drupal 7: functions related to security


Some key points adapted from Handle text in a secure fashion:

NB: the form elements #description and #title require you to sanitise any user-supplied substitution text using @user_supplied or %user_supplied (not !user_supplied).

NB: block descriptions (but NOT TITLES) are automatically sanitised.

When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done. Otherwise, there might be bugs when users try to use angle brackets or ampersands, or worse you could open up XSS exploits.

When handling data, the golden rule is to store exactly what the user typed. When a user edits a post they created earlier, the form should contain the same things as it did when they first submitted it. This means that conversions are performed when content is output, not when saved to the database ..


All the rules above can be summed up quite easily: no piece of user-submitted content should ever be placed as-is into HTML. If you are unsure of whether this is the case, you can always test it by submitting a piece of text like <u>xss</u> into your module's fields. If the text comes out underlined or mangles existing tags, you know you have a problem.

Visit also