6.2. Common Mistakes

As I mentioned in the chapter opening, the theme is often the source of both large volumes of vulnerabilities and vulnerabilities that are particularly dangerous. This section covers some common errors. To test yourself, try to spot the problem before it is explained. These problems usually appear for one of two reasons.

  • If she needs additional data, a themer will often write code to get that data and then insert it into her code. Both the process of getting the data (command execution, access bypass) and the insertion of the data (XSS) present opportunities for vulnerabilities.

  • If a module developer created a theme function, which includes some sort of filtering—either explicitly like check_plain or implicitly like the l function—a themer unfamiliar with the API might remove that filtering.

6.2.1. Printing Raw Node Data

This problem seems to come about particularly with fields added to nodes using the Content Construction Kit (CCK), but it follows this basic format: Get a node object from somewhere such as a node_load and then print out a piece of it.

$node = node_load($some_nid);
print $node->field_text[0]['value'];

This kind of code is often inside some other display tags, but those two lines are the most important ones. That's absolutely the wrong way to write it. This method may work a lot of the time, but as soon as a user enters some code, he can perform a cross-site scripting and only need you to visit it in order to take over your site.

As you can ...

Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.