Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If you know a module that can execute php code when the PHP module is disabled, please list it here (with a link to an issue to make it impossible to do that via paranoia, if applicable):
- Display Suite #2053071: Make PHP execution by Display Suite Format module rely on core php.module
- Actions/VBO #1427334: prevent php execution in actions/VBO
- CDN #2033167: split cdn_pick_server in user interface to separate module and/or permission and/or remove
- etc.
Already fixed:
Comments
Comment #1
Mac_Weber CreditAttribution: Mac_Weber commentedIt is possible to use PHP in Views. Shall it be on this list?
Comment #1.0
Mac_Weber CreditAttribution: Mac_Weber commentedx
Comment #2
greggles@Mac_Weber - yes, that's the point of the list. Thought, is it possible to do that in views with the php module disabled?
If so, please be sure to clarify where/how it's possible.
Comment #3
larowlanviews_table_highlighter but it already required 'php'
views_php?
Comment #4
larowlanviews can do it in 'default argument' and 'argument validation' without php module
Comment #5
RobLoachDrupal Core's PHP module: #1203886: Remove the PHP module from Drupal core
Comment #6
tlattimore CreditAttribution: tlattimore commentedDon't forget Computed field module.
Per module description:
Comment #7
SpleshkaI think Views PHP is also suits here.
Comment #8
SpleshkaFound other candidates:
I didn't have enough time to create issues for this projects. Please, let me know if I can help you here.
Comment #9
killua99 CreditAttribution: killua99 commentedviews PDF? sorry for not add the link I'm on my phone right now
Comment #10
yannickooComment #10.0
yannickoox
Comment #11
larowlanAdded CDN to the list and linked to RTBC #2033167: split cdn_pick_server in user interface to separate module and/or permission and/or remove
http://drupalcode.org/project/cdn.git/blob/refs/heads/7.x-2.x:/cdn.modul...
Comment #12
Matt V. CreditAttribution: Matt V. commentedWhile evaluating some modules for security purposes, I gathered a list of projects that the Coder module's security checks flagged as including eval(). Please note, the list may be a bit out-of-date, definitely isn't exhaustive, and doesn't take into account the context in which eval() appears. That said, I thought it still might be useful to include here:
* navigate
* views
* rules
* media
* leftandright
* i18n
* ctools
* biblio
* unitsapi
* checkbox_filter
* autoarch
* phpmenu
* opigno_external_video_app/video_filter
* mysqlreport
* context_export
* navigate
* config_builder
* unitsapi
* checkbox_filter
* maestro
* skinr
* flag
* feeds_tamper_php
* om_tools
* cck_select_other
* google_admanager
* drd_server
* mobile_codes
* views_aggregator
* backup_migrate
* imce?
* rules
* features
* auto_nodetitle
* location
* login_destination
* computed_field
* draggableviews
* bundle_copy
* video_ui
* select_or_other
* video_filter
* finder
* bueditor
* elysia_cron
* field_validation
* custom_formatters
* viewreference
* auto_entitylabel
* getlocations
* mediafront
* popup
* moopapi
* om_maximenu
* drupalforfirebug
* wysiwyg_template
* webform_share
* hierarchical_select
## using drupal_eval()
* ip_login
Comment #13
gregglesWow, thanks, Matt! Looks like we've got our work cut out for us.
Comment #14
gregglesAnother: views_table_highlighter because of #2878552: Provide better documentation about required permissions and PHP use.