Is Drupal secure?

Drupal has a very good track record in terms of security, and has an organized process for investigating, verifying, and publishing possible security problems.

Drupal's security team is constantly working with the community to address security issues as they arise. Read more about securing your site.

Anyone using Drupal should subscribe to the security mailing list (by editing your account profile) in order to automatically keep up to date with the latest security advisories of all types (see below).

Frequently asked questions:

Is open source software secure?

The short answer is that open source software is as secure or more secure (in general) than proprietary software. A good summary of the relevant issues can be found in this article from IBM: The security implications of open source software. The increased security of using open source was cited as one reason the White House switched to Drupal.

How Drupal addresses common security vulnerabilities

WYSIWYG Integration

Media provides inline multimedia insertion functionality to a number of client-side WYSIWYG editors via the WYSIWYG module.


  1. Install WYSIWYG and configure it, using CKEditor (installation instructions).
  2. In Configuration -> Text Formats, click 'configure' next to the text format for which you want to allow inline media.
  3. Under Enabled Filters, check the "Converts Media tags to Markup" box. If the "Limit allowed HTML tags" format has been enabled, make sure to drag "Converts Media tags to Markup" below it.
  4. If you have "Limit allowed HTML" enabled under Filtered HTML text formats, remember to add the <img> tag to "Allowed HTML tags" or else the images will not show up at all.
  5. In Configuration -> Wysiwyg profiles, click on 'edit' next to the profile for which you want to enable the Media Browser. (Note: You must select an editor for the profile before you can edit the options.)
  6. In the Buttons and Plugins pane, enable the Media Browser button and save the profile.

Current Issues and Workarounds

A few issues with WYSIWYG integration still exist.

    Media fields

    Media as a field means that you can create a media field for a node just like you have a title field or a body field or a tags field. The media you select in the field will be attached to the node, and will be displayed when the node is displayed.

    Creating a Media field on a content type

    Now we'll add a Media field to our built-in Article content type. Go to the Content types overview page at /admin/structure/types, and click the 'Manage fields' link for the Article type, which brings you to /admin/structure/types/manage/article/fields. Add a new field, called 'Media', by selecting the 'file' or 'image' field type from the appropriate selector. (Make sure to fill in both the name and label.) Select 'Media file selector' widget.

    (Side note: 'Multimedia Asset' field type is deprecated in 2.x. See: #1201936: Move the media field to a non-required submodule)

    Save the resulting Field settings without changing anything. On the next screen, you'll also see Allowed Media types, which selects 'Image' by default and 'Public files' and 'Private files' URI schemes. Leave these alone for now.

    Upload a media file

    Go to the Media content listing page, by clicking on the very top 'Content' link and clicking on the 'Media' tab (which brings you to /admin/content/media/list). Then click on the 'Upload new files' link and upload an image.

    Show result list of a view with exposed filters only when filters set

    There is a (Views2) view listing any type of elements and with at least one exposed filter. The task is to show the empty text instead of the list if the filter is not set. One part of the solution can be found at forum, but is not perfect. It works fine while every part of the exposed filters are textfields - but there are views with optional filters shown as dropdowns/selects with the first, "empty" element being <All>. This value is being sent to PHP as All, so the array checked in the above code will not be empty, so the list will appear when one of the exposed filters was shown as dropdown/select, and was optional. Here is a solution which works fine even in such cases.

    Code snippets

    Custom queries

    If you are doing a custom query yourself, there's only 1 important thing you need to do: put the build_mode key on the object you pass to the theming function. In this example we're using a node object.

      $output = '';
      $result = db_query("SELECT nid FROM {node} WHERE whatever");
      while ($row = db_fetch_object($result)) {
        // Load the node - You can also built the object yourself if you know which fields you need.
        $node = node_load($row->nid);
       // Put a build_mode key on the $node object
        $node->build_mode = 'teaser'; 
        // Check the teaser flag and show_links flag.
        $teaser = ($node->build_mode != 'full') ? TRUE : FALSE;
        $show_links = ds_show_field('nd', $node->type, $node->build_mode, 'links');
        // Use node_view to render.
        $output .= node_view($node, $teaser, FALSE, $links);
      return $output;

    Node displays fields

    Because we can't include every single field out there by default, here are some PHP snippets you can use to create a custom field at admin/ds/module/fields or include in your own implementation of hook_ds_fields(). A lot of the snippets, especially those from Node displays, are single prints which are usually found in the $links variable, which is available by default as a field.

    Nokia Mobile Theme

    The Nokia Mobile Theme is designed to work well on low-end devices and excel on high devices and touch screen devices.

    Special features

    1. Integrated detection of device families (low, mid and high end) specific for Nokia, but supporting many popular devices such as iPhone, Android-based and Palm Pre/Pixi
    2. Show different theme features depending on browser capabilities (use accordions to hide areas that are not used frequently, use of shades and CSS to make the look nicer, more)
    3. Tweaks for touch devices
    4. Specific tweaks for some specific Nokia devices such as the N900


    Subscribe with RSS Subscribe to RSS - Site administrators