Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
Dear Drupal maintainer-news subscriber,
One of the goals of the Drupal Security Team is promoting education on security topics. In this email, we on the Drupal Security Team provide some “best practice” guidelines for configuration of Drupal’s text formats, to help you keep your sites secure. Despite Drupal core having sensible security defaults, it's quite easy to introduce insecure misconfigurations and in so doing open your site up to attack. If you’re building Drupal sites it’s important to understand Text Formats as an example of safely using user input.
One of the most frequently encountered vulnerabilities on the web and the number one vulnerability improperly built Drupal sites is cross-site scripting (XSS). You should be aware of how Drupal’s Text Formats system protects you against XSS, to avoid unknowingly opening your site up to attack (see https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw).
Drupal 7 has three formats by default: Filtered HTML, Full HTML, and Plain Text (Drupal 6 does not install the Plain Text format by default.) Known as Text Formats, these are comprised of filters which run on input text when node bodies, certain fields, and comment bodies are output. Text Formats are one of the most important lines of defense against attackers submitting content to your site. In addition to keeping you safe from malicious content, Text Formats also help format and display input.
You can review your Text Formats (known as Input Formats in Drupal 6) at:
* Drupal 7: Administration > Configuration > Text Formats or /admin/config/content/formats
* Drupal 6: Administer > Site configuration > Input formats or /admin/settings/filters
As the name implies, the Filtered HTML text format is more restrictive of allowed HTML output than Full HTML, so be sure you haven't allowed roles that may be held by untrusted users to use the Full HTML Text Format. If an untrusted user can use the Full HTML text format then they can possibly execute a XSS attack against your site to deface it, steal private information, or worse.
You can read more about cross-site scripting (XSS) at the following pages
* https://www.owasp.org/index.php/Cross_Site_Scripting_Flaw
* http://drupalscout.com/knowledge-base/introduction-cross-site-scripting-...
For an automated way to review the Text Formats of your site check out the Security Review module at http://drupal.org/project/security_review.
Next time we’ll discuss the underlying APIs provided by Drupal for safely handling user input in your custom code. As a reminder, if you ever find a security issue in Drupal core, or contributed modules, please report it to us immediately. See http://drupal.org/security-team/report-issue for more info.
Also, for the month of January some members of the security team are offering IRC office-hours for assistance in writing and building secure Drupal sites and code. Read more at http://drupal.org/node/1883394
Stay secure,
http://drupal.org/security-team
