I got the following error message :
"Dangerous tags in content
Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.", because I have some javascript in a node content.
However I disabled account creation by anonymous users, so the only untrusted role is anonymous. The settings page in Security Review reflects that (only anonymous user is checked).
Therefore, I don't see how an "untrusted user could be allowed to edit such content". What do you think ?
Comments
Comment #1
gregglesIn this case it's more important to know how many of these pages there are and, if the number increases, whether new pages are intentional or not. That could be useful if, for example, a CSRF vulnerability in some module allows an attacker to create a new node that has malicious content. Maybe we could make the check more useful for that scenario?
Comment #2
coltraneA goal of this module is to elevate the awareness of security vulnerabilities so while I welcome improving the clarity of text this issue doesn't classify as a bug. The text states "may be a vulnerability if an untrusted user is allowed to edit such content" and therefore isn't making a definitive statement about your site.
I'm changing this to be a feature request for more intelligent help text. At a minimum the text could state whether any of the untrusted roles can in fact edit content.
Comment #3
coltrane(correcting status)
Comment #4
smustgrave commentedClosing as outdated after 6 years as we transition to Drupal 10.
I'm keeping an eye on the 7.x branch of this module, reviews and majors, but
active work is going toward 2.x (supporting D10)
If valid for 2.x please reopen