Index: modules/filter/filter.api.php
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.api.php,v
retrieving revision 1.13
diff -u -p -r1.13 filter.api.php
--- modules/filter/filter.api.php	27 Aug 2009 21:18:19 -0000	1.13
+++ modules/filter/filter.api.php	7 Sep 2009 16:01:45 -0000
@@ -40,6 +40,10 @@
  *     content before the actual filtering happens.
  *   - 'process callback': The name the function that performs the actual
  *     filtering.
+ * - When a text format is checked to determine if it is configured securely,
+ *   the following properties may be used:
+ *   - 'security callback': The name of a function that determines whether the
+ *     filter allows new exploits or prevents existing ones.
  *
  * Filtering is a two-step process. First, the content is 'prepared' by calling
  * the 'prepare callback' function for every filter. The purpose of the 'prepare
@@ -64,6 +68,14 @@
  * format is an entire filter setup: which filters to enable, in what order
  * and with what settings.
  *
+ * Different filters can introduce or remove security vulnerabilities in the
+ * text formats that contain them, depending on how they are configured.
+ * Filters that have implications for security should therefore use the
+ * 'security callback' function to provide information about whether they are
+ * configured securely. The filtering system will collect this information and
+ * use it to automatically determine whether the text format as a whole is
+ * secure.
+ *
  * Filters that require settings should provide the form controls to configure
  * the settings in a form builder function, specified in 'settings callback'.
  * The filter system stores the settings in the database per text format.
@@ -122,6 +134,56 @@
  * - $format: The format object of the text to be filtered.
  * - $long: Boolean whether to return long or short filter guidelines.
  *
+ * 'security callback' is invoked with the following parameters:
+ * - $filter: An object representing the filter within the text format that is
+ *   being checked. The most important property is $filter->settings, which
+ *   contains an array of settings for this filter as it is configured within
+ *   the current text format. The security callback function should inspect
+ *   these settings if they are relevant for determining when the filter is
+ *   configured securely.
+ * - &$warnings: An array which the security callback function should fill with
+ *   warning messages in one of two cases: (1) If the filter opens up a new
+ *   exploit in a previously safe text format, or (2) If the filter could have
+ *   specifically prevented an exploit if it had been configured in a different
+ *   way. The warning messages should be keyed by the type of output in which
+ *   the potential vulnerability exists. For example, use $warnings['html'][]
+ *   for an exploit that occurs when content that passes through the text
+ *   format is output as HTML (e.g., cross-site scripting exploits). This is
+ *   the most common type of output, but others are possible; for example, the
+ *   PHP module uses $warnings['php'][] to indicate that the PHP filter
+ *   contains an inherent vulnerability due to the fact that content which
+ *   passes through it is executed as PHP code.
+ *
+ * The return value of the 'security callback' function is an optional array
+ * representing the effect of the filter on each type of output. The constant
+ * FILTER_EXPLOIT_PREVENTS should be used if the filter prevents security
+ * exploits by sanitizing previously-unsafe content; for example, a filter that
+ * escapes HTML would return array('html' => FILTER_EXPLOIT_PREVENTS). The
+ * constant FILTER_EXPLOIT_ALLOWS should be used if the filter allows a new
+ * security exploit, even if the content passed in to the filter was previously
+ * sanitized. For example, a filter that evaluates PHP code would return
+ * array('php' => FILTER_EXPLOIT_ALLOWS). If the security callback function
+ * does not include a particular type of output in the returned array, this is
+ * taken to mean that the filter does not affect the security of this type of
+ * output one way or the other; unsanitized content passed in to the filter
+ * remains unsanitized after the filter is applied, and sanitized content
+ * passed in to the filter similarly remains sanitized.
+ *
+ * @code
+ *   function mymodule_check_security($filter, &$warnings) {
+ *     if (empty($filter->settings['remove_unsafe_html'])) {
+ *       $warnings['html'][] = t('The "mymodule" filter is configured to allow unsafe HTML. Either select the "remove unsafe HTML" option in the configuration settings for this filter, or add another filter after it that separately removes unsafe HTML.');
+ *     }
+ *     else {
+ *       // The "remove unsafe HTML" configuration option was selected, so this
+ *       // filter prevents HTML exploits.
+ *       return array('html' => FILTER_EXPLOIT_PREVENTS);
+ *     }
+ *   }
+ * @endcode
+ *
+ * @see filter_format_is_secure()
+ *
  * For performance reasons content is only filtered once; the result is stored
  * in the cache table and retrieved from the cache the next time the same piece
  * of content is displayed. If a filter's output is dynamic, it can override the
@@ -145,6 +207,9 @@
  *     of the filtering.
  *   - 'process callback': (required) The callback function to call in the
  *     'process' step of the filtering.
+ *   - 'security callback': A callback function that determines whether the
+ *     filter is configured to allow new security exploits or prevent existing
+ *     ones.
  *   - 'settings callback': A callback function that provides form controls
  *     for the filter's settings. Each filter should apply either the default
  *     settings or the configured settings contained in $filter->settings. The
@@ -166,6 +231,7 @@ function hook_filter_info() {
     'title' => t('Limit allowed HTML tags'),
     'description' => t('Allows you to restrict the HTML tags the user can use. It will also remove harmful content such as JavaScript events, JavaScript URLs and CSS styles from those tags that are not removed.'),
     'process callback' => '_filter_html',
+    'security callback' => '_filter_html_check_security',
     'settings callback' => '_filter_html_settings',
     'default settings' => array(
       'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>',
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.287
diff -u -p -r1.287 filter.module
--- modules/filter/filter.module	30 Aug 2009 06:04:09 -0000	1.287
+++ modules/filter/filter.module	7 Sep 2009 16:01:45 -0000
@@ -15,6 +15,18 @@
 define('FILTER_FORMAT_DEFAULT', 0);
 
 /**
+ * Status which indicates that a filter prevents security exploits. This should
+ * be used by filters that sanitize previously-unsafe content.
+ */
+define('FILTER_EXPLOIT_PREVENTS', 1);
+
+/**
+ * Status which indicates that a filter allows a new security exploit, even if
+ * the content passed in to the filter was previously sanitized.
+ */
+define('FILTER_EXPLOIT_ALLOWS', 2);
+
+/**
  * Implement hook_help().
  */
 function filter_help($path, $arg) {
@@ -211,6 +223,7 @@ function filter_format_save($format) {
     module_invoke_all('filter_format_update', $format);
   }
 
+  drupal_static_reset('filter_list_format');
   cache_clear_all($format->format . ':', 'cache_filter', TRUE);
 
   return $return;
@@ -480,7 +493,7 @@ function filter_format_allowcache($forma
  *   An array of filter objects assosiated to the given format.
  */
 function filter_list_format($format) {
-  static $filters = array();
+  $filters = &drupal_static(__FUNCTION__, array());
   $filter_info = filter_get_filters();
 
   if (!isset($filters[$format])) {
@@ -516,6 +529,82 @@ function filter_list_format($format) {
 }
 
 /**
+ * Determines if a text format is configured securely.
+ *
+ * @param $format
+ *   The ID of the format to check.
+ * @param $warnings
+ *   An array which will be filled with warning messages if the format is
+ *   insecure, explaining the reasons why it is insecure. The keys of the
+ *   array represent types of output in which a security vulnerability exists,
+ *   and the values are arrays of messages describing the vulnerability for
+ *   that output type. Possible keys include 'html' (if content that passes
+ *   through the text format will be insecure when output as HTML) and 'php'
+ *   (if content that passes through the text format will be executed as PHP
+ *   code).
+ * @return
+ *   TRUE if the format is configured securely, FALSE otherwise.
+ */
+function filter_format_is_secure($format, &$warnings) {
+  // Start with a blank slate of warning messages.
+  $warnings = array();
+
+  // All text formats start off as insecure, because unfiltered HTML is by
+  // definition not safe.
+  $format_status = array('html' => FILTER_EXPLOIT_ALLOWS);
+
+  // Go through each filter and execute its security callback function,
+  // modifying the overall state of the text format as appropriate.
+  $filters = filter_list_format($format);
+  $filter_info = filter_get_filters();
+  foreach ($filters as $name => $filter) {
+    if (isset($filter_info[$name]['security callback']) && function_exists($filter_info[$name]['security callback'])) {
+      // Check if the callback function returned any security result or
+      // warnings associated with this filter.
+      $filter_warnings = array();
+      $callback_function = $filter_info[$name]['security callback'];
+      $result = $callback_function($filter, $filter_warnings);
+      if (!empty($result) || !empty($filter_warnings)) {
+        // Merge in the results of the callback function, so that if the filter
+        // either explicitly allows or explicitly prevents exploits for a
+        // particular type of output, that result becomes the new, temporary
+        // status for the text format as a whole.
+        if (!empty($result)) {
+          $format_status = array_merge($format_status, $result);
+        }
+        // Merge in any warnings that this filter added for each type of
+        // output.
+        if (!empty($filter_warnings)) {
+          $warnings = array_merge_recursive($warnings, $filter_warnings);
+        }
+        // Clear out all warning messages except those for output types where
+        // exploits are currently allowed.
+        foreach (array_keys($warnings) as $type) {
+          if (!isset($format_status[$type]) || $format_status[$type] == FILTER_EXPLOIT_PREVENTS) {
+            unset($warnings[$type]);
+          }
+        }
+      }
+    }
+  }
+
+  // If the text format allows HTML exploits but no warning messages have been
+  // added, use a default message that is appropriate for unfiltered HTML. This
+  // covers the case where no HTML filter has been applied at all.
+  if ($format_status['html'] == FILTER_EXPLOIT_ALLOWS && empty($warnings['html'])) {
+    $warnings['html'][] = t('No filter has been added to sanitize raw HTML.');
+  }
+
+  // Return FALSE (the format is insecure) if exploits of any kind are allowed.
+  foreach ($format_status as $status) {
+    if ($status != FILTER_EXPLOIT_PREVENTS) {
+      return FALSE;
+    }
+  }
+  return TRUE;
+}
+
+/**
  * @name Filtering functions
  * @{
  * Modules which need to have content filtered can use these functions to
@@ -736,6 +825,18 @@ function filter_dom_serialize($dom_docum
 }
 
 /**
+ * Splits a string containing HTML tags into an array of tag names.
+ *
+ * @param $tag_string
+ *   A string containing HTML tags; for example, '<a> <em> <strong>'.
+ * @return
+ *   An array of tag names; for example, array('a', 'em', 'strong').
+ */
+function _filter_split_tags($tag_string) {
+  return preg_split('/\s+|<|>/', $tag_string, -1, PREG_SPLIT_NO_EMPTY);
+}
+
+/**
  * Format a link to the more extensive filter tips.
  *
  * @ingroup themeable
@@ -768,6 +869,7 @@ function filter_filter_info() {
     'title' => t('Limit allowed HTML tags'),
     'description' => t('Allows you to restrict the HTML tags the user can use. It will also remove harmful content such as JavaScript events, JavaScript URLs and CSS styles from those tags that are not removed.'),
     'process callback' => '_filter_html',
+    'security callback' => '_filter_html_check_security',
     'settings callback' => '_filter_html_settings',
     'default settings' => array(
       'allowed_html' => '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>',
@@ -801,6 +903,7 @@ function filter_filter_info() {
     'title' => t('Escape all HTML'),
     'description' => t('Escapes all HTML tags, so they will be visible instead of being effective.'),
     'process callback' => '_filter_html_escape',
+    'security callback' => '_filter_html_escape_check_security',
     'tips callback' => '_filter_html_escape_tips',
   );
   return $filters;
@@ -834,10 +937,30 @@ function _filter_html_settings(&$form_st
 }
 
 /**
+ * Security callback for the HTML filter.
+ */
+function _filter_html_check_security($filter, &$warnings) {
+  $allowed_tags = _filter_split_tags($filter->settings['allowed_html']);
+  $dangerous_tags = array('iframe', 'object', 'embed', 'script', 'style'); // Obviously we can expand this later!
+  $tags = array_intersect($dangerous_tags, $allowed_tags);
+  if (empty($tags)) {
+    // If the filter does not allow any dangerous tags, that means it is
+    // configured to prevent HTML exploits.
+    return array('html' => FILTER_EXPLOIT_PREVENTS);
+  }
+  else {
+    // Otherwise, generate a useful warning for the case where this filter is
+    // being used in an already insecure text format, to explain how it could
+    // have been made safe.
+    $warnings['html'][] = t('The HTML filter is configured to allow the following dangerous tags: %tags', array('%tags' => implode(', ', $tags)));
+  }
+}
+
+/**
  * HTML filter. Provides filtering of input into accepted HTML.
  */
 function _filter_html($text, $filter) {
-  $allowed_tags = preg_split('/\s+|<|>/', $filter->settings['allowed_html'], -1, PREG_SPLIT_NO_EMPTY);
+  $allowed_tags = _filter_split_tags($filter->settings['allowed_html']);
   $text = filter_xss($text, $allowed_tags);
 
   if ($filter->settings['filter_html_nofollow']) {
@@ -1000,6 +1123,15 @@ function _filter_html_escape($text) {
 }
 
 /**
+ * Security callback for the HTML escaping filter.
+ */
+function _filter_html_escape_check_security($filter, &$warnings) {
+  // Because this filter escapes all HTML, it prevents any HTML-related
+  // exploits from occurring.
+  return array('html' => FILTER_EXPLOIT_PREVENTS);
+}
+
+/**
  * @} End of "Standard filters".
  */
 
Index: modules/filter/filter.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.test,v
retrieving revision 1.39
diff -u -p -r1.39 filter.test
--- modules/filter/filter.test	29 Aug 2009 03:55:44 -0000	1.39
+++ modules/filter/filter.test	7 Sep 2009 16:01:46 -0000
@@ -765,6 +765,74 @@ class FilterUnitTestCase extends DrupalW
 }
 
 /**
+ * Tests for the text format security API.
+ */
+class FilterFormatSecurityTestCase extends DrupalWebTestCase {
+  public static function getInfo() {
+    return array(
+      'name' => 'Text format security',
+      'description' => 'Test the API for determining whether text formats are secure.',
+      'group' => 'Filter',
+    );
+  }
+
+  /**
+   * Test that text formats are labeled secure or insecure, as appropriate.
+   */
+  function testFormatSecurity() {
+    // Test a text format with no filters; it should be labeled insecure.
+    $format = new stdClass();
+    $format->name = $this->randomName();
+    $format->roles = array();
+    $format->filters = array();
+    filter_format_save($format);
+    $this->assertFalse(filter_format_is_secure($format->format, $warnings), t('A text format with no filters is labeled insecure.'));
+    $this->assertEqual(count($warnings['html']), 1, t('A text format with no filters has an associated warning message about insecure HTML.'));
+
+    // Add the HTML filter with default settings; the format should now be
+    // secure.
+    $format->roles = array();
+    $format->filters = array('filter_html' => 1);
+    filter_format_save($format);
+    $this->assertTrue(filter_format_is_secure($format->format, $warnings), t('A text format with the default HTML filter is labeled secure.'));
+    $this->assertEqual(count($warnings), 0, t('A text format with the default HTML filter has no associated warning messages.'));
+
+    // Add an unsafe tag; the format should now be insecure.
+    $format->roles = array();
+    $format->settings['filter_html'] = array('allowed_html' => '<a> <em> <strong> <script>');
+    filter_format_save($format);
+    $this->assertFalse(filter_format_is_secure($format->format, $warnings), t('A text format that allows script tags is labeled insecure.'));
+    $this->assertEqual(count($warnings['html']), 1, t('A text format that allows script tags has an associated warning message about insecure HTML.'));
+
+    // Create a new format that is the same as the previous one, but escapes
+    // all HTML first; the text format should be secure.
+    unset($format->format);
+    $format->name = $this->randomName();
+    $format->roles = array();    
+    $format->filters = array(
+      'filter_html_escape' => 1,
+      'filter_html' => 1,
+    );
+    filter_format_save($format);
+    $this->assertTrue(filter_format_is_secure($format->format, $warnings), t('A text format that escapes HTML before improperly filtering it is labeled secure.'));
+    $this->assertEqual(count($warnings), 0, t('A text format that escapes HTML before improperly filtering it has no associated warning messages.'));
+
+    // Do the same thing as above, but escape HTML afterwards instead; the text
+    // format should still be secure.
+    unset($format->format);
+    $format->name = $this->randomName();
+    $format->roles = array();
+    $format->filters = array(
+      'filter_html' => 1,
+      'filter_html_escape' => 1,
+    );
+    filter_format_save($format);
+    $this->assertTrue(filter_format_is_secure($format->format, $warnings), t('A text format that escapes HTML after improperly filtering it is labeled secure.'));
+    $this->assertEqual(count($warnings), 0, t('A text format that escapes HTML after improperly filtering it has no associated warning messages.'));
+  }
+}
+
+/**
  * Tests for filter hook invocation.
  */
 class FilterHooksTestCase extends DrupalWebTestCase {
Index: modules/php/php.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/php/php.module,v
retrieving revision 1.20
diff -u -p -r1.20 php.module
--- modules/php/php.module	27 Aug 2009 21:18:19 -0000	1.20
+++ modules/php/php.module	7 Sep 2009 16:01:46 -0000
@@ -127,9 +127,18 @@ function php_filter_info() {
     'title' => t('PHP evaluator'),
     'description' => t('Executes a piece of PHP code. The usage of this filter should be restricted to administrators only!'),
     'process callback' => 'php_eval',
+    'security callback' => '_php_check_security',
     'tips callback' => '_php_filter_tips',
     'cache' => FALSE,
   );
   return $filters;
 }
 
+/**
+ * Security callback for the PHP filter.
+ */
+function _php_check_security($filter, &$warnings) {
+  // Any format using this filter is insecure.
+  $warnings['php'][] = t('The PHP filter allows users to execute arbitrary PHP code on your site.');
+  return array('php' => FILTER_EXPLOIT_ALLOWS);
+}
Index: modules/php/php.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/php/php.test,v
retrieving revision 1.16
diff -u -p -r1.16 php.test
--- modules/php/php.test	28 Aug 2009 16:23:04 -0000	1.16
+++ modules/php/php.test	7 Sep 2009 16:01:46 -0000
@@ -101,3 +101,47 @@ class PHPAccessTestCase extends PHPTestC
     $this->assertNoFieldByName('body_format', '3', t('Format not available.'));
   }
 }
+
+/**
+ * Test that text formats with the PHP filter are always labeled as insecure.
+ */
+class PHPFilterSecurityTestCase extends PHPTestCase {
+  public static function getInfo() {
+    return array(
+      'name' => 'PHP filter security',
+      'description' => 'Test that text formats containing the PHP filter are always labeled as insecure.',
+      'group' => 'PHP',
+    );
+  }
+
+  /**
+   * Test that the PHP filter is correctly labeled as insecure.
+   */
+  function testPHPFilterSecurity() {
+    // Test a text format with the PHP filter only; it should be labeled
+    // insecure for both HTML and PHP exploits.
+    $format = new stdClass();
+    $format->name = $this->randomName();
+    $format->roles = array();
+    $format->filters = array('php_code' => 1);
+    filter_format_save($format);
+    $this->assertFalse(filter_format_is_secure($format->format, $warnings), t('A text format with the PHP filter is labeled insecure.'));
+    $this->assertEqual(count($warnings['php']), 1, t('A text format with the PHP filter has an associated warning message about PHP code execution.'));
+    $this->assertEqual(count($warnings['html']), 1, t('A text format with the PHP filter has an associated warning message about insecure HTML.'));
+
+    // Create a new format that is the same as the previous one, but escapes
+    // all HTML afterwards; the text format should still be labeled insecure
+    // for PHP exploits, but not for HTML exploits.
+    unset($format->format);
+    $format->name = $this->randomName();
+    $format->roles = array();
+    $format->filters = array(
+      'php_code' => 1,
+      'filter_html_escape' => 1,
+    );
+    filter_format_save($format);
+    $this->assertFalse(filter_format_is_secure($format->format, $warnings), t('A text format with the PHP filter that also escapes HTML is still labeled insecure.'));
+    $this->assertEqual(count($warnings['php']), 1, t('A text format with the PHP filter that also escapes HTML still has an associated warning message about PHP code execution.'));
+    $this->assertTrue(empty($warnings['html']), t('A text format with the PHP filter that also escapes HTML has no associated warning messages about insecure HTML.'));
+  }
+}