Currently the security_review_check_field
check just identifies which entity-type/id has "Dangerous tags in content" even while it searches through revisions for these tags. This can make it very difficult to identify and clean content, especially when the problematic tags are in one of many old revisions.
This check should identify which revision ids have the dangerous tags, and whether those are the current revision or an old revision. As well, it should note the date of the revision and name of the revision user as those are what the /node/xxx/revisions
page presents for the user to click on when browsing revisions.
I'll submit a patch shortly that addresses this issue.
Comments
Comment #2
adamfranco CreditAttribution: adamfranco commentedThis patch resolves this issue and provides both HTML and drush output.
Comment #4
adamfranco CreditAttribution: adamfranco commentedI've now reworked the patch to make the integration with the
entity
module optional. Ifentity
is enabled, the revision timestamp and author will be printed in the results, if not, it will still list the revision ids, but just not the extra details. This also allows the tests to pass.With
entity
enabled:Without
entity
enabled:Comment #5
adamfranco CreditAttribution: adamfranco commentedComment #6
adamfranco CreditAttribution: adamfranco commentedOne more version of the patch here, this time with style fixes suggested by Coder-Review and preventing overwrites of the "current_version" flag by followup check to the revision table.
Comment #7
adamfranco CreditAttribution: adamfranco commentedAttached is a very minor tweak to the HTML details to make the revision-id not part of the link, allowing it to be more easily copy-pasted.
Comment #9
adamfranco CreditAttribution: adamfranco commentedNote, current test-failures are unrelated to the content of #7 and are caused by Drupal's addition of an "administer fields" permission. Once security_revew-2741289 is in place, the tests should run fine.
Comment #10
adamfranco CreditAttribution: adamfranco commentedJust in case it's of interest, here is an alternative to #7 that provides a direct "delete" link for non-current revisions. I found this extra feature very useful in my own cleanup of sites with lots of Javascript in old revisions, but it does have the downside of potentially implying that deleting the revision is proper resolution. While deleting may be a good resolution, an alternative is a direct DB query that removes the offending JS and leaves the rest of the revision content.
Either this patch or #6 are hopefully sufficient to resolve this issue and are equivalent aside from the delete-link.
Comment #11
kenahoo CreditAttribution: kenahoo as a volunteer commentedI'd love it if this patch, or one like it, could be applied. I couldn't figure out why editing content to remove PHP tags wasn't getting the `security_review` checks to pass, and after some sleuthing I discovered it's because old revisions are still in the database.
Comment #12
elondaits CreditAttribution: elondaits at IMAGINARY for IMAGINARY commentedThank you for this patch. This should be part of the module.
Comment #13
smustgrave CreditAttribution: smustgrave at Mobomo commentedPatch no longer applies.
Comment #14
smustgrave CreditAttribution: smustgrave at Mobomo commented