Benjamin Melançon mlncn

## security.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              0 stars
            
          
                mlncn
                / security.md
            
            
              Last active
              August 29, 2015 14:22
                — forked from joelpittet/security.md
            
              
                Correct a few typos and misspellings. No substantive changes.
              
          
    Security

History

In Drupal 7 and prior versions we relied on manual escaping variables by our developers and themers. Every variable was either run through check_plain(), filter_xss() or another filter function manually or it was assumed to be safe. You can see where this assumption can easily be overlooked/forgotten and we end up with a security vulnerability usually in the form of an XSS attack.
One of the major decisions for choosing Twig in Drupal 8 was due to its autoescape security feature which all variables can be escaped automatically while they are printed. This alleviates a bunch of concerns and burden on the Security Team as well as protect Drupal Sites by default. This is equivalent to Drupal 7 writing <?php print check_plain($variable); ?> on each variable printed.
Flipping our security on its head aka Security Thought Process


## app.coffee
class Thumb extends Backbone.Model

  defaults:
    uri: ''
    state: ''

  select: (state) ->
    st = ''
    st = 'selected' if state
    @set('state' : st)

## fix-whitespace.sh
#!/bin/sh
# Pre-commit hook for git which removes trailing whitespace, converts tabs to spaces, and enforces a max line length.

if git-rev-parse --verify HEAD >/dev/null 2>&1 ; then
   against=HEAD
else
   # Initial commit: diff against an empty tree object
   against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
fi

## tpl.html
<span property="dc:date dc:created" content="2011-08-30T17:01:12-04:00" datatype="xsd:dateTime">
  <time datetime="2011-08-30T21:01:12" pubdate="pubdate">30 Aug 2011</time>
</span>

## showspreadsheet.php
<?php

// Parsing this spreadsheet: https://spreadsheets.google.com/pub?key=0Ah0xU81penP1dFNLWk5YMW41dkcwa1JNQXk3YUJoOXc&hl=en&output=html
$url = 'http://spreadsheets.google.com/feeds/list/0Ah0xU81penP1dFNLWk5YMW41dkcwa1JNQXk3YUJoOXc/od6/public/values?alt=json';
$file= file_get_contents($url);

$json = json_decode($file);
$rows = $json->{'feed'}->{'entry'};
foreach($rows as $row) {
  echo '<p>';
	class Thumb extends Backbone.Model

	defaults:
	uri: ''
	state: ''

	select: (state) ->
	st = ''
	st = 'selected' if state
	@set('state' : st)
	#!/bin/sh
	# Pre-commit hook for git which removes trailing whitespace, converts tabs to spaces, and enforces a max line length.

	if git-rev-parse --verify HEAD >/dev/null 2>&1 ; then
	against=HEAD
	else
	# Initial commit: diff against an empty tree object
	against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
	fi
	<span property="dc:date dc:created" content="2011-08-30T17:01:12-04:00" datatype="xsd:dateTime">
	<time datetime="2011-08-30T21:01:12" pubdate="pubdate">30 Aug 2011</time>
	</span>
	<?php

	// Parsing this spreadsheet: https://spreadsheets.google.com/pub?key=0Ah0xU81penP1dFNLWk5YMW41dkcwa1JNQXk3YUJoOXc&hl=en&output=html
	$url = 'http://spreadsheets.google.com/feeds/list/0Ah0xU81penP1dFNLWk5YMW41dkcwa1JNQXk3YUJoOXc/od6/public/values?alt=json';
	$file= file_get_contents($url);

	$json = json_decode($file);
	$rows = $json->{'feed'}->{'entry'};
	foreach($rows as $row) {
	echo '<p>';