Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.On the Dangerous tags in content page:
eng/admin/reports/security-review/help/security_review/field
I get a report of:
"PHP found in"
After the Javascript pages that is incomplete.
I also know there is PHP in a few Views (maybe not in the pages, but certainly in Views) and it isn't being displayed?
Where is this script checking for PHP? It can now be hidden away in so many places.
| Comment | File | Size | Author |
|---|---|---|---|
| #14 | security-review.png | 10.61 KB | sah62 |
Comments
Comment #1
coltraneIt's only check fields that are stored in SQL so Views aren't checked. Further checks are welcome tho.
Comment #2
mgiffordOk.. Might want to add a sentence like that to the bottom of the review to let folks know that it isn't a bug.
Comment #3
coltraneI'm not clear from your original report what you're saying is a bug. Was it that it doesn't list Views?
The text could probably be improved, sure.
Comment #4
mgiffordI just saw "PHP found in"
And then the page ended.
If I saw nothing then I wouldn't think there was a problem. As it was though I assumed that it failed as I knew there was php in a View.
Comment #5
coltraneAh, ok, I wasn't clear about that. That does sound like a bug, thanks for the clarification. I'll investigate.
Comment #6
coltranemgifford, when you have a chance can you test with 7.x-1.x-dev and see if the error still appears?
Comment #7
mgiffordThe review didn't get further than: batch?op=start&id=6
Didn't get a WSOD, but nothing appeared visually under Performing Security Review and although
<div id="progress"></div> </div>was there, it never was populated. Didn't see any errors either.Was a bit tricky to find the dev release, but got there eventually. Why not list it on the Project page?
Comment #8
coltrane@mgifford does 7.x-1.x-dev complete a review?
Comment #9
mgiffordSorry, I don't see it here https://drupal.org/node/622676/release
Comment #10
coltraneHere it is https://drupal.org/node/995796
Comment #11
mgiffordI'm not sure. That's from 2010!
Also, I couldn't test it here http://simplytest.me/project/security_review
I'm going to mark this as postponed as I don't have that environment any more and it's going to take too long to re-create.
Comment #12
coltrane@mgifford Just so you're aware about drupal.org project releases. There's a release node that's associated with a packaged tarball of a tag or branch of the underlying repository, and the dates of those "things" don't have to be the same. That release has a node with a created date of 2010, but the way the drupal.org packaging system works is that because it's a release node against a branch the system will update its packaged tarball whenever there are commits. The tarball has been updated many times since 2010 ;) Here's an image illustrating where it says the release update is http://monosnap.com/image/Le7m0FSShhxJDHEdE36NKUMR5
Great point about testing on simplytest.me!
Comment #13
mgiffordDamn.. Good to hear that it's much more active than it looked.
Comment #14
sah62 commentedI'm experiencing this same issue. I had some PHP in a node, it was correctly detected. I removed the PHP, re-ran the review, and I'm still getting the warning - but there's no content listed (see attached image). I get the same behavior with both 7.x-1.1 and 7.x-1.x-dev.
Comment #15
sah62 commentedPlease ignore #14. I just realized that I was looking at results without having first re-run the review. After re-running the review the warning went away.
Comment #16
coltraneRe-reading through this I don't see anything requiring any action. Please re-open or create a new issue if there's something I've missed.