'script', 'PHP' => '?php', ]; // Load all of the entities. $entities = []; $bundle_info = $this->entityManager()->getAllBundleInfo(); foreach ($bundle_info as $entity_type_id => $bundles) { $current = $this->entityManager() ->getStorage($entity_type_id) ->loadMultiple(); $entities = array_merge($entities, $current); } // Search for text fields. $text_items = []; foreach ($entities as $entity) { if ($entity instanceof FieldableEntityInterface) { /** @var FieldableEntityInterface $entity */ foreach ($entity->getFields() as $field_list) { foreach ($field_list as $field_item) { if ($field_item instanceof TextItemBase) { /** @var TextItemBase $item */ // Text field found. $text_items[] = $field_item; } } } } } // Scan the text items for vulnerabilities. foreach ($text_items as $item) { $entity = $item->getEntity(); foreach ($item->getProperties() as $property) { /** @var TypedDataInterface $property */ $value = $property->getValue(); if (is_string($value)) { $field_name = $item->getFieldDefinition()->getLabel(); foreach ($tags as $vulnerability => $tag) { if (strpos($value, '<' . $tag) !== FALSE) { // Vulnerability found. $findings[$entity->getEntityTypeId()][$entity->id()][$field_name][] = $vulnerability; } } } } } if (!empty($findings)) { $result = CheckResult::FAIL; } return $this->createResult($result, $findings); } /** * {@inheritdoc} */ public function help() { $paragraphs = []; $paragraphs[] = $this->t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.'); return [ '#theme' => 'check_help', '#title' => $this->t('Dangerous tags in content'), '#paragraphs' => $paragraphs, ]; } /** * {@inheritdoc} */ public function evaluate(CheckResult $result) { $findings = $result->findings(); if (empty($findings)) { return []; } $paragraphs = []; $paragraphs[] = $this->t('The following items potentially have dangerous tags.'); $items = []; foreach ($findings as $entity_type_id => $entities) { foreach ($entities as $entity_id => $fields) { $entity = $this->entityManager() ->getStorage($entity_type_id) ->load($entity_id); foreach ($fields as $field => $finding) { $url = $entity->toUrl('edit-form'); if ($url === NULL) { $url = $entity->toUrl(); } $items[] = $this->t( '@vulnerabilities found in @field field of @label', [ '@vulnerabilities' => implode(' and ', $finding), '@field' => $field, '@label' => $entity->label(), ':url' => $url->toString(), ] ); } } } return [ '#theme' => 'check_evaluation', '#paragraphs' => $paragraphs, '#items' => $items, ]; } /** * {@inheritdoc} */ public function evaluatePlain(CheckResult $result) { $findings = $result->findings(); if (empty($findings)) { return ''; } $output = ''; foreach ($findings as $entity_type_id => $entities) { foreach ($entities as $entity_id => $fields) { $entity = $this->entityManager() ->getStorage($entity_type_id) ->load($entity_id); foreach ($fields as $field => $finding) { $url = $entity->toUrl('edit-form'); if ($url === NULL) { $url = $entity->toUrl(); } $output .= "\t" . $this->t( '@vulnerabilities in @field of :link', [ '@vulnerabilities' => implode(' and ', $finding), '@field' => $field, ':link' => $url->toString(), ] ) . "\n"; } } } return $output; } /** * {@inheritdoc} */ public function getMessage($result_const) { switch ($result_const) { case CheckResult::SUCCESS: return $this->t('Dangerous tags were not found in any submitted content (fields).'); case CheckResult::FAIL: return $this->t('Dangerous tags were found in submitted content (fields).'); default: return $this->t('Unexpected result.'); } } }