You are here

Cracking drupal

Submitted by nicolas on Fri, 12/10/2010 - 21:26

The book

A few months ago I read Cracking drupal. It is a good book if you want to understand what the vulnerabilities of your drupal site are. 

In a certain chapter Greg Knaddison talks about security in the API. He explains what the t() function is all about. How you can use it when you need to append variables to your message.


The real-life example

Well a few weeks ago I stumbled upon this piece of code: 

t('Welcome') . ' ' . $user->firstname;

This caught my eye and an alarm bell went off. This is how you make your site vulnerable to XSS attacks. What is wrong with this code? Well, two things:

  • You are translating only a part of your output.
  • You are appending user input (the firstname of a user) without sanitizing the data.

So what do you need to do in this case? You have to know that the t() function works with placeholders for variables. If you use the function with the placeholders, the values passed along will be run through the check_plain function before they are used in the message you want to display.

In this case the right code would be:

t('Welcome %firstname', array('%firstname' => $user->firstname));

Besides, working with placeholders makes it easier to translate. Especially when words have to switch places when translating. 






Blog category: