When a client has a need or idea that other people might benefit from, it's a great opportunity to contribute a module back to the community. I recently created the new Autocreate Access module to solve a problem on a project where Drupal's autocomplete tagging widget for taxonomy terms didn't work as our client expected. Typically, Drupal sites utilise this field widget to allow users to create new categories for their content on the fly...
We recently went through the process of applying for Cyber Essentials. Cyber Essentials is a program created by the UK government to help businesses get on top of their Cyber security. It was an interesting process for us to go through, and certainly helped us to formalise and document practices we had been doing for years. We did hit a bit of a blocker tho for our developers, specifically on point A7.6 Use of Administrator Accounts...
Drupal provides an excellent sanitisation system to filter the HTML content that editors might create. Think of it like a series of traffic cops that filter different vehicles into different lanes. Some content is allowed through to its destination, some has to be transformed along the way, and some is simply blocked from displaying. Administrators can use the 'Limit allowed HTML tags and correct faulty HTML' option to configure which HTML elements and attributes they...
There are some key files like robots.txt and .htaccess which are often tweaked for Drupal websites. These can be considered part of the 'scaffolding' of a site - they control the way the site works, rather than its content or design. Any new release of Drupal core that includes changes to them specifically mentions that they need updating, as those changes may have to be merged with any customisations made on your site. For example...
Drupal receives security updates several times a year, and we always apply them as soon as possible. Since Drupal security issues can make the headlines, it's important that site owners know that their site is secure and up to date - it provides for peace of mind and for pride in an excellent site. We decided this year to ensure that clients know about security updates to Drupal Core on their site. Via a quick...
Last night saw the popular EU Cookie Compliance module fall from grace, as the Drupal community discovered that numerous inputs in the admin form were not being sanitised. To me, this shows some serious failings in how our community is handling security awareness. Let's do some fixing :) ### 1) We need to make this OBVIOUS, with clear examples One of the most important things when trying to get people to write secure code is...
After reading this from Ars Technica, which describes how a developer offered to 'help' the maintainer of an NPM module - and then slowly introduced malicious code to it - I can't help but wonder if the Drupal community is vulnerable to the exact same issue. Let's discuss! ###Please, don't touch my package NPM modules have been hacked at before, and it's not pretty when it happens. Because of the way we use packages, it's...
I'll keep this short and sweet, but we thought this would be a useful tip to share with the world as a potential security issue with the combined use of File::getFileUri() and FileSystem::realpath(). Consider the following code excerpt : $file = File::load($some_file_uri); if ($file) { $uri = $file->getFileUri(); $file_realpath = \Drupal::service('file_system')->realpath($uri); } Seems pretty harmless right? Load up the file from $some_file_uri , If we have a valid file then get the URI and then...
As with every other Drupal agency on the planet, it was another fun evening of frantic patching of client sites last night due to the release of the highly critical SA-CORE-2018-004 security update for Drupal, released on 25/04/2018. Being so closely related to SA-CORE-2018-002 and knowing proven exploits for that were already affecting thousands of un-patched Drupal sites, time was of the essence for this one as a new exploit was sure to be released...