[Maintainers-news] Core Security - Understanding Text Formats
maintainers-news at drupal.org
maintainers-news at drupal.org
Wed Jan 9 16:14:49 UTC 2013
View online: http://drupal.org/node/1884352
Dear Drupal maintainer-news subscriber, One of the goals of the Drupal
Security Team is promoting education on security topics. In this email, we on
the Drupal Security Team provide some “best practice” guidelines for
configuration of Drupal’s text formats, to help you keep your sites secure.
Despite Drupal core having sensible security defaults, it's quite easy to
introduce insecure misconfigurations and in so doing open your site up to
attack. If you’re building Drupal sites it’s important to understand Text
Formats as an example of safely using user input. One of the most frequently
encountered vulnerabilities on the web and the number one vulnerability
improperly built Drupal sites is cross-site scripting (XSS). You should be
aware of how Drupal’s Text Formats system protects you against XSS, to
avoid unknowingly opening your site up to attack (see
https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw). Drupal 7 has
three formats by default: Filtered HTML, Full HTML, and Plain Text (Drupal 6
does not install the Plain Text format by default.) Known as Text Formats,
these are comprised of filters which run on input text when node bodies,
certain fields, and comment bodies are output. Text Formats are one of the
most important lines of defense against attackers submitting content to your
site. In addition to keeping you safe from malicious content, Text Formats
also help format and display input. You can review your Text Formats (known
as Input Formats in Drupal 6) at: * Drupal 7: Administration > Configuration
> Text Formats or /admin/config/content/formats * Drupal 6: Administer >
Site
configuration > Input formats or /admin/settings/filters As the name implies,
the Filtered HTML text format is more restrictive of allowed HTML output than
Full HTML, so be sure you haven't allowed roles that may be held by untrusted
users to use the Full HTML Text Format. If an untrusted user can use the Full
HTML text format then they can possibly execute a XSS attack against your
site to deface it, steal private information, or worse. You can read more
about cross-site scripting (XSS) at the following pages *
https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw *
http://drupalscout.com/knowledge-base/introduction-cross-site-scripting-xss-and-drupal
For an automated way to review the Text Formats of your site check out the
Security Review module at http://drupal.org/project/security_review. Next
time we’ll discuss the underlying APIs provided by Drupal for safely
handling user input in your custom code. As a reminder, if you ever find a
security issue in Drupal core, or contributed modules, please report it to us
immediately. See http://drupal.org/security-team/report-issue for more info.
Also, for the month of January some members of the security team are offering
IRC office-hours for assistance in writing and building secure Drupal sites
and code. Read more at http://drupal.org/node/1883394 Stay secure,
http://drupal.org/security-team
More information about the Maintainers-news
mailing list