Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.In #275811: Warn about potentially insecure filter configurations we have a patch which is hopefully extremely likely to go into Drupal 7 (because it has been labeled a "release blocker" by the Drupal Security Team lead...)
The patch allows us to dynamically detect exactly which text formats on a Drupal site are configured insecurely, and to provide specific information about what makes them insecure.
We deliberately left out any serious user interface changes from that patch in order to focus on the API. The only user interface change that patch currently contains is the obvious one (putting the standard Drupal 7 warning about these text formats on the permission screen): http://drupal.org/files/issues/filter_permission_warnings.png
This issue is for figuring out how best to communicate this security information elsewhere in Drupal (mainly on the text format administration pages, but perhaps elsewhere also). The way the patch works, we are capable of printing text that is more or less along these lines:
This text format is configured insecurely. Only administrators and other highly trusted users should be given access to use it. The reason it is insecure is:
* The HTML filter is configured to allow the following unsafe tags: <script>, <object>, etc.
* The PHP filter allows users to execute arbitrary PHP code on your site.
Discuss :)
Comments
Comment #1
heather commentedTagging with Usability.
(the sidebar block link for "usability" lists issues tagged with Usability or d7ux)
http://drupal.org/project/issues/search/drupal?version[0]=7.x&issue_tags...
Comment #2
jix_ commentedMockups.
Warnings for unsafe filters on the permissions page:
http://www.flickr.com/photos/mverbaar/4109242358/
Configuration page with warnings and labels for safe/unsafe filters:
http://www.flickr.com/photos/mverbaar/4108619091/
Comment #3
Bojhan commentedTo get some of the crazyness out of this issue, lets focus on what its about and not add extra tag cluft. The proposed design obivously makes far to much impact on the permission page, no reason to add more clutter there.
Comment #4
jix_ commentedHow? It basically just wraps the warning (which is already there) in an actual warning style (yellow box), which, as I see it, removes clutter as the warning is separated from the description.
Comment #5
Bojhan commented@mverbaar It is a low use case, and it adds so much visual prominence to it?
Comment #6
jix_ commentedThe visual prominence is only there for potentially dangerous filters, to probably just 1 in most cases. (Full HTML.)
I guess you're right though. There are a lot more potentially "dangerous" permissions in there, if we'd put warnings on all of those it would end up looking like a yellow zebra.
In that sense, should we just remove the warnings completely (the non-styled versions which are there now)? Keeping the warnings just at the filter configuration page ...
And how about the other mockup, the configuration page itself. Do you think the warnings (and labels) are ok there?
Comment #7
pwolanin commentedsubscribe
Comment #8
sun#275811: Warn about potentially insecure filter configurations won't land for D7.
Comment #9
kscheirerNeeds work then.
Comment #10
wim leersThere's much more discussion around this already in #1835188: Make configuration of text formats more secure by default. Let's continue there.