From: Jeff Veit Date: Mon, 25 Oct 2021 18:16:40 +0000 (+0100) Subject: Updated to Drupal 8.6.4, which is PHP 7.3 friendly. Also updated HTMLaw library.... X-Git-Url: http://www.aleph1.co.uk/gitweb/?p=yaffs-website;a=commitdiff_plain;h=4f1b9b4ab48a8498afac9e2213a02a23ccf4a06c Updated to Drupal 8.6.4, which is PHP 7.3 friendly. Also updated HTMLaw library. Removed Security Review module. This update will let the live website work. Further work is necessary. --- diff --git a/composer.json b/composer.json index c514b3110..bea1fd9b4 100644 --- a/composer.json +++ b/composer.json @@ -89,7 +89,6 @@ "drupal/inline_entity_form": "^1.0@beta", "drupal/entity_embed": "^1.0@beta", "drupal/dropzonejs": "^2.0@alpha", - "drupal/security_review": "1.x-dev", "drupal/entity_reference_revisions": "^1.6", "drupal/entity": "^1.0-rc1" }, @@ -98,7 +97,7 @@ "behat/mink-goutte-driver": "~1.2", "jcalderonzumba/gastonjs": "~1.0.2", "jcalderonzumba/mink-phantomjs-driver": "~0.3.1", - "mikey179/vfsStream": "~1.2", + "mikey179/vfsstream": "~1.2", "symfony/css-selector": "~2.8", "drupal/twig_xdebug": "^1.0", "drupal/livereload": "1.x-dev", diff --git a/composer.lock b/composer.lock index 38cdf935f..7c7370821 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "2c9cad0804408626752bffa44fe2bec6", + "content-hash": "8cfc3879a25f15d6aba3eaccfc3cb818", "packages": [ { "name": "alchemy/zippy", @@ -892,6 +892,7 @@ ], "description": "Promoting the interoperability of container objects (DIC, SL, etc.)", "homepage": "https://github.com/container-interop/container-interop", + "abandoned": "psr/container", "time": "2017-02-14T19:40:03+00:00" }, { @@ -1583,6 +1584,7 @@ "GPL-2.0-or-later" ], "description": "Composer Plugin for updating the Drupal scaffold files when using drupal/core", + "abandoned": "drupal/core-composer-scaffold", "time": "2018-07-27T10:07:07+00:00" }, { @@ -1590,7 +1592,7 @@ "version": "1.24.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/admin_toolbar", + "url": "https://git.drupalcode.org/project/admin_toolbar.git", "reference": "8.x-1.24" }, "dist": { @@ -1671,7 +1673,7 @@ "version": "2.4.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/advagg", + "url": "https://git.drupalcode.org/project/advagg.git", "reference": "8.x-2.4" }, "dist": { @@ -1743,7 +1745,7 @@ "version": "1.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/advanced_help", + "url": "https://git.drupalcode.org/project/advanced_help.git", "reference": "8.x-1.0-alpha2" }, "dist": { @@ -1818,7 +1820,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/better_formats", + "url": "https://git.drupalcode.org/project/better_formats.git", "reference": "e632735f9bec5e08db58716195edc25cc6db78b3" }, "require": { @@ -1856,14 +1858,15 @@ "homepage": "https://www.drupal.org/project/better_formats", "support": { "source": "http://cgit.drupalcode.org/better_formats" - } + }, + "time": "2018-04-24T13:52:26+00:00" }, { "name": "drupal/blazy", "version": "1.0.0-rc3", "source": { "type": "git", - "url": "https://git.drupal.org/project/blazy", + "url": "https://git.drupalcode.org/project/blazy.git", "reference": "8.x-1.0-rc3" }, "dist": { @@ -1926,7 +1929,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/block_class", + "url": "https://git.drupalcode.org/project/block_class.git", "reference": "8.x-1.0" }, "dist": { @@ -2026,7 +2029,7 @@ "version": "3.14.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/bootstrap", + "url": "https://git.drupalcode.org/project/bootstrap.git", "reference": "8.x-3.14" }, "dist": { @@ -2091,7 +2094,7 @@ "version": "4.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/bootstrap_layouts", + "url": "https://git.drupalcode.org/project/bootstrap_layouts.git", "reference": "8.x-4.2" }, "dist": { @@ -2147,7 +2150,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/ckeditor_templates", + "url": "https://git.drupalcode.org/project/ckeditor_templates.git", "reference": "8.x-1.0" }, "dist": { @@ -2190,7 +2193,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/ckeditor_widgets", + "url": "https://git.drupalcode.org/project/ckeditor_widgets.git", "reference": "2d462637f8804b6d0b530604d0376e97a23a3b7f" }, "require": { @@ -2721,7 +2724,7 @@ "version": "2.0.0-rc1", "source": { "type": "git", - "url": "https://git.drupal.org/project/crop", + "url": "https://git.drupalcode.org/project/crop.git", "reference": "8.x-2.0-rc1" }, "dist": { @@ -2777,7 +2780,7 @@ "version": "3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/ctools", + "url": "https://git.drupalcode.org/project/ctools.git", "reference": "8.x-3.0" }, "dist": { @@ -2862,7 +2865,7 @@ "version": "1.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/devel", + "url": "https://git.drupalcode.org/project/devel.git", "reference": "8.x-1.2" }, "dist": { @@ -2944,7 +2947,7 @@ "version": "1.0.0-rc2", "source": { "type": "git", - "url": "https://git.drupal.org/project/diff", + "url": "https://git.drupalcode.org/project/diff.git", "reference": "8.x-1.0-rc2" }, "dist": { @@ -3030,7 +3033,7 @@ "version": "1.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/draggableviews", + "url": "https://git.drupalcode.org/project/draggableviews.git", "reference": "8.x-1.2" }, "dist": { @@ -3040,16 +3043,13 @@ "shasum": "0f5e9195ceec209552aa50f8ce3c230692c284db" }, "require": { - "drupal/core": "*" + "drupal/core": "^8" }, "require-dev": { "drupal/draggableviews_demo": "*" }, "type": "drupal-module", "extra": { - "branch-alias": { - "dev-1.x": "1.x-dev" - }, "drupal": { "version": "8.x-1.2", "datestamp": "1541518680", @@ -3113,7 +3113,7 @@ "version": "2.0.0-alpha3", "source": { "type": "git", - "url": "https://git.drupal.org/project/dropzonejs", + "url": "https://git.drupalcode.org/project/dropzonejs.git", "reference": "8.x-2.0-alpha3" }, "dist": { @@ -3200,7 +3200,7 @@ "version": "1.3.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/drupalmoduleupgrader", + "url": "https://git.drupalcode.org/project/drupalmoduleupgrader.git", "reference": "8.x-1.3" }, "dist": { @@ -3309,7 +3309,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/embed", + "url": "https://git.drupalcode.org/project/embed.git", "reference": "8.x-1.0" }, "dist": { @@ -3370,7 +3370,7 @@ "version": "1.0.0-rc1", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity", + "url": "https://git.drupalcode.org/project/entity.git", "reference": "8.x-1.0-rc1" }, "dist": { @@ -3433,7 +3433,7 @@ "version": "1.6.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity_browser", + "url": "https://git.drupalcode.org/project/entity_browser.git", "reference": "8.x-1.6" }, "dist": { @@ -3517,7 +3517,7 @@ "version": "1.0.0-beta2", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity_embed", + "url": "https://git.drupalcode.org/project/entity_embed.git", "reference": "8.x-1.0-beta2" }, "dist": { @@ -3582,7 +3582,7 @@ "version": "1.6.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity_reference_revisions", + "url": "https://git.drupalcode.org/project/entity_reference_revisions.git", "reference": "8.x-1.6" }, "dist": { @@ -3640,7 +3640,7 @@ "version": "1.0.0-alpha8", "source": { "type": "git", - "url": "https://git.drupal.org/project/entityqueue", + "url": "https://git.drupalcode.org/project/entityqueue.git", "reference": "8.x-1.0-alpha8" }, "dist": { @@ -3703,7 +3703,7 @@ "version": "3.3.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/environment_indicator", + "url": "https://git.drupalcode.org/project/environment_indicator.git", "reference": "8.x-3.3" }, "dist": { @@ -3754,7 +3754,7 @@ "version": "1.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/eu-cookie-compliance", + "url": "https://git.drupalcode.org/project/eu-cookie-compliance.git", "reference": "8.x-1.2" }, "dist": { @@ -3849,7 +3849,7 @@ "version": "1.1.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/file_mdm", + "url": "https://git.drupalcode.org/project/file_mdm.git", "reference": "8.x-1.1" }, "dist": { @@ -3942,7 +3942,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/filefield_sources", + "url": "https://git.drupalcode.org/project/filefield_sources.git", "reference": "b19c6a839804f47587828d4a50e29e0720fa4c08" }, "require": { @@ -3976,14 +3976,15 @@ "homepage": "https://www.drupal.org/project/filefield_sources", "support": { "source": "http://cgit.drupalcode.org/filefield_sources" - } + }, + "time": "2017-02-21T21:07:00+00:00" }, { "name": "drupal/fontyourface", "version": "3.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/fontyourface", + "url": "https://git.drupalcode.org/project/fontyourface.git", "reference": "8.x-3.2" }, "dist": { @@ -4046,7 +4047,7 @@ "version": "1.0.0-beta1", "source": { "type": "git", - "url": "https://git.drupal.org/project/front", + "url": "https://git.drupalcode.org/project/front.git", "reference": "8.x-1.0-beta1" }, "dist": { @@ -4108,7 +4109,7 @@ "version": "2.0.0-beta2", "source": { "type": "git", - "url": "https://git.drupal.org/project/hacked", + "url": "https://git.drupalcode.org/project/hacked.git", "reference": "8.x-2.0-beta2" }, "dist": { @@ -4118,13 +4119,10 @@ "shasum": "84e018c23a39d83c2274cc009804f0abf4b9e9cb" }, "require": { - "drupal/core": "*" + "drupal/core": "^8" }, "type": "drupal-module", "extra": { - "branch-alias": { - "dev-2.x": "2.x-dev" - }, "drupal": { "version": "8.x-2.0-beta2", "datestamp": "1520956980", @@ -4147,39 +4145,44 @@ { "name": "Steven Jones", "homepage": "https://www.drupal.org/user/99644" + }, + { + "name": "colan", + "homepage": "https://www.drupal.org/user/58704" + }, + { + "name": "ivnish", + "homepage": "https://www.drupal.org/user/3547706" } ], "description": "Shows if drupal or any of its modules have been changed", "homepage": "https://www.drupal.org/project/hacked", "support": { - "source": "http://cgit.drupalcode.org/hacked" + "source": "https://git.drupalcode.org/project/hacked" } }, { "name": "drupal/htmlawed", - "version": "3.5.0", + "version": "3.7.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/htmLawed", - "reference": "8.x-3.5" + "url": "https://git.drupalcode.org/project/htmLawed.git", + "reference": "8.x-3.7" }, "dist": { "type": "zip", - "url": "https://ftp.drupal.org/files/projects/htmlawed-8.x-3.5.zip", - "reference": "8.x-3.5", - "shasum": "48cf7dda2d327fcc2024273a5b37861872e0f53f" + "url": "https://ftp.drupal.org/files/projects/htmlawed-8.x-3.7.zip", + "reference": "8.x-3.7", + "shasum": "f3b49eb425831947e3069369aecd5b32a27ac6cb" }, "require": { "drupal/core": "~8.0" }, "type": "drupal-module", "extra": { - "branch-alias": { - "dev-3.x": "3.x-dev" - }, "drupal": { - "version": "8.x-3.5", - "datestamp": "1530751724", + "version": "8.x-3.7", + "datestamp": "1586586866", "security-coverage": { "status": "covered", "message": "Covered by Drupal's security advisory policy" @@ -4199,7 +4202,7 @@ "description": "Use htmLawed to restrict and correct HTML for compliance with admin. policy and standards and for security", "homepage": "https://www.drupal.org/project/htmlawed", "support": { - "source": "http://cgit.drupalcode.org/htmlawed" + "source": "https://git.drupalcode.org/project/htmlawed" } }, { @@ -4207,7 +4210,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/http2_server_push", + "url": "https://git.drupalcode.org/project/http2_server_push.git", "reference": "8.x-1.0" }, "dist": { @@ -4250,7 +4253,7 @@ "version": "2.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/image_widget_crop", + "url": "https://git.drupalcode.org/project/image_widget_crop.git", "reference": "8.x-2.2" }, "dist": { @@ -4326,7 +4329,7 @@ "version": "2.3.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/imagemagick", + "url": "https://git.drupalcode.org/project/imagemagick.git", "reference": "8.x-2.3" }, "dist": { @@ -4415,7 +4418,7 @@ "version": "1.0.0-rc1", "source": { "type": "git", - "url": "https://git.drupal.org/project/inline_entity_form", + "url": "https://git.drupalcode.org/project/inline_entity_form.git", "reference": "8.x-1.0-rc1" }, "dist": { @@ -4481,7 +4484,7 @@ "version": "1.0.0-alpha23", "source": { "type": "git", - "url": "https://git.drupal.org/project/layout_plugin", + "url": "https://git.drupalcode.org/project/layout_plugin.git", "reference": "8.x-1.0-alpha23" }, "dist": { @@ -4536,7 +4539,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/layouter", + "url": "https://git.drupalcode.org/project/layouter.git", "reference": "8.x-1.0" }, "dist": { @@ -4595,7 +4598,7 @@ "version": "3.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/libraries", + "url": "https://git.drupalcode.org/project/libraries.git", "reference": "8.x-3.0-alpha1" }, "dist": { @@ -4656,7 +4659,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/linkchecker", + "url": "https://git.drupalcode.org/project/linkchecker.git", "reference": "f59edc88741c60991526dc54adc89554c0ca571b" }, "require": { @@ -4708,7 +4711,7 @@ "version": "4.3.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/linkit", + "url": "https://git.drupalcode.org/project/linkit.git", "reference": "8.x-4.3" }, "dist": { @@ -4754,7 +4757,7 @@ "version": "1.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_actions", + "url": "https://git.drupalcode.org/project/media_entity_actions.git", "reference": "8.x-1.0-alpha2" }, "dist": { @@ -4817,7 +4820,7 @@ "version": "2.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_instagram", + "url": "https://git.drupalcode.org/project/media_entity_instagram.git", "reference": "8.x-2.0-alpha2" }, "dist": { @@ -4880,7 +4883,7 @@ "version": "2.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_slideshow", + "url": "https://git.drupalcode.org/project/media_entity_slideshow.git", "reference": "8.x-2.0-alpha1" }, "dist": { @@ -4931,7 +4934,7 @@ "version": "2.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_twitter", + "url": "https://git.drupalcode.org/project/media_entity_twitter.git", "reference": "8.x-2.0-alpha2" }, "dist": { @@ -4991,7 +4994,7 @@ "version": "2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/memcache", + "url": "https://git.drupalcode.org/project/memcache.git", "reference": "8.x-2.0" }, "dist": { @@ -5063,7 +5066,7 @@ "version": "1.7.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/metatag", + "url": "https://git.drupalcode.org/project/metatag.git", "reference": "8.x-1.7" }, "dist": { @@ -5131,7 +5134,7 @@ "version": "4.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/migrate_plus", + "url": "https://git.drupalcode.org/project/migrate_plus.git", "reference": "8.x-4.0" }, "dist": { @@ -5193,7 +5196,7 @@ "version": "4.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/migrate_tools", + "url": "https://git.drupalcode.org/project/migrate_tools.git", "reference": "8.x-4.0" }, "dist": { @@ -5260,7 +5263,7 @@ "version": "3.0.0-rc5", "source": { "type": "git", - "url": "https://git.drupal.org/project/migrate_upgrade", + "url": "https://git.drupalcode.org/project/migrate_upgrade.git", "reference": "8.x-3.0-rc5" }, "dist": { @@ -5331,7 +5334,7 @@ "version": "1.3.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/pathauto", + "url": "https://git.drupalcode.org/project/pathauto.git", "reference": "8.x-1.3" }, "dist": { @@ -5392,7 +5395,7 @@ "version": "1.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/pathologic", + "url": "https://git.drupalcode.org/project/pathologic.git", "reference": "8.x-1.0-alpha1" }, "dist": { @@ -5447,7 +5450,7 @@ "version": "1.61.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/permissions_by_term", + "url": "https://git.drupalcode.org/project/permissions_by_term.git", "reference": "8.x-1.61" }, "dist": { @@ -5507,7 +5510,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/php", + "url": "https://git.drupalcode.org/project/php.git", "reference": "e5c1c4047f5f1522e5d630bca93d50c61ef6a2c0" }, "require": { @@ -5582,7 +5585,7 @@ "version": "1.3.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/redirect", + "url": "https://git.drupalcode.org/project/redirect.git", "reference": "8.x-1.3" }, "dist": { @@ -5632,67 +5635,12 @@ "source": "http://cgit.drupalcode.org/redirect" } }, - { - "name": "drupal/security_review", - "version": "dev-1.x", - "source": { - "type": "git", - "url": "https://git.drupal.org/project/security_review", - "reference": "9b8a34a21cac85913845df4eebb9a05c69de82d8" - }, - "require": { - "drupal/core": "~8.0" - }, - "type": "drupal-module", - "extra": { - "branch-alias": { - "dev-1.x": "1.x-dev" - }, - "drupal": { - "version": "8.x-1.x-dev", - "datestamp": "1532558881", - "security-coverage": { - "status": "not-covered", - "message": "Dev releases are not covered by Drupal security advisories." - } - }, - "patches_applied": [] - }, - "notification-url": "https://packages.drupal.org/8/downloads", - "license": [ - "GPL-2.0-or-later" - ], - "authors": [ - { - "name": "banviktor", - "homepage": "https://www.drupal.org/user/3176333" - }, - { - "name": "coltrane", - "homepage": "https://www.drupal.org/user/91990" - }, - { - "name": "dsnopek", - "homepage": "https://www.drupal.org/user/266527" - }, - { - "name": "greggles", - "homepage": "https://www.drupal.org/user/36762" - } - ], - "description": "Site security and configuration review module.", - "homepage": "https://www.drupal.org/project/security_review", - "support": { - "source": "http://cgit.drupalcode.org/security_review" - }, - "time": "2018-07-27T02:32:58+00:00" - }, { "name": "drupal/simple_sitemap", "version": "2.12.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/simple_sitemap", + "url": "https://git.drupalcode.org/project/simple_sitemap.git", "reference": "8.x-2.12" }, "dist": { @@ -5753,7 +5701,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/slick", + "url": "https://git.drupalcode.org/project/slick.git", "reference": "8.x-1.0" }, "dist": { @@ -5807,7 +5755,7 @@ "version": "2.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/slick_media", + "url": "https://git.drupalcode.org/project/slick_media.git", "reference": "8.x-2.0-alpha2" }, "dist": { @@ -5859,7 +5807,7 @@ "version": "1.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/superfish", + "url": "https://git.drupalcode.org/project/superfish.git", "reference": "8.x-1.2" }, "dist": { @@ -5909,7 +5857,7 @@ "version": "1.1.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/toc_formatter", + "url": "https://git.drupalcode.org/project/toc_formatter.git", "reference": "8.x-1.1" }, "dist": { @@ -5956,7 +5904,7 @@ "version": "1.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/tocify", + "url": "https://git.drupalcode.org/project/tocify.git", "reference": "8.x-1.2" }, "dist": { @@ -6011,7 +5959,7 @@ "version": "1.5.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/token", + "url": "https://git.drupalcode.org/project/token.git", "reference": "8.x-1.5" }, "dist": { @@ -6078,7 +6026,7 @@ "version": "1.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/typogrify", + "url": "https://git.drupalcode.org/project/typogrify.git", "reference": "8.x-1.0-alpha1" }, "dist": { @@ -6138,7 +6086,7 @@ "version": "1.2.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/video", + "url": "https://git.drupalcode.org/project/video.git", "reference": "8.x-1.2" }, "dist": { @@ -6198,7 +6146,7 @@ "version": "2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/video_embed_field", + "url": "https://git.drupalcode.org/project/video_embed_field.git", "reference": "8.x-2.0" }, "dist": { @@ -6259,7 +6207,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/videojs", + "url": "https://git.drupalcode.org/project/videojs.git", "reference": "8.x-1.0" }, "dist": { @@ -6313,7 +6261,7 @@ "version": "3.1.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/views_bootstrap", + "url": "https://git.drupalcode.org/project/views_bootstrap.git", "reference": "8.x-3.1" }, "dist": { @@ -6375,7 +6323,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/views_responsive_grid", + "url": "https://git.drupalcode.org/project/views_responsive_grid.git", "reference": "b8478ccf4cb6dc6837a0c1170a848e418499a357" }, "require": { @@ -6463,6 +6411,7 @@ "keywords": [ "Drush" ], + "abandoned": true, "time": "2015-10-16T21:32:27+00:00" }, { @@ -6605,12 +6554,12 @@ "version": "0.9.1", "source": { "type": "git", - "url": "https://github.com/njh/easyrdf.git", + "url": "https://github.com/easyrdf/easyrdf.git", "reference": "acd09dfe0555fbcfa254291e433c45fdd4652566" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/njh/easyrdf/zipball/acd09dfe0555fbcfa254291e433c45fdd4652566", + "url": "https://api.github.com/repos/easyrdf/easyrdf/zipball/acd09dfe0555fbcfa254291e433c45fdd4652566", "reference": "acd09dfe0555fbcfa254291e433c45fdd4652566", "shasum": "" }, @@ -6965,7 +6914,7 @@ "version": "dev-master", "source": { "type": "git", - "url": "https://github.com/grom358/pharborist.git", + "url": "git@github.com:grom358/pharborist.git", "reference": "0db9e51299a80e95b06857ed1809f59bbbab1af6" }, "dist": { @@ -7276,6 +7225,7 @@ "email": "jakub.onderka@gmail.com" } ], + "abandoned": "php-parallel-lint/php-console-color", "time": "2018-09-29T17:23:10+00:00" }, { @@ -7322,6 +7272,7 @@ } ], "description": "Highlight PHP code in terminal", + "abandoned": "php-parallel-lint/php-console-highlighter", "time": "2018-09-29T18:48:56+00:00" }, { @@ -10096,12 +10047,12 @@ "version": "1.3.0", "source": { "type": "git", - "url": "https://github.com/webmozart/assert.git", + "url": "https://github.com/webmozarts/assert.git", "reference": "0df1908962e7a3071564e857d86874dad1ef204a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/webmozart/assert/zipball/0df1908962e7a3071564e857d86874dad1ef204a", + "url": "https://api.github.com/repos/webmozarts/assert/zipball/0df1908962e7a3071564e857d86874dad1ef204a", "reference": "0df1908962e7a3071564e857d86874dad1ef204a", "shasum": "" }, @@ -10249,6 +10200,7 @@ "psr", "psr-7" ], + "abandoned": "laminas/laminas-diactoros", "time": "2018-09-05T19:29:37+00:00" }, { @@ -10294,6 +10246,7 @@ "escaper", "zf" ], + "abandoned": "laminas/laminas-escaper", "time": "2018-04-25T15:48:53+00:00" }, { @@ -10355,6 +10308,7 @@ "feed", "zf" ], + "abandoned": "laminas/laminas-feed", "time": "2018-08-01T13:53:20+00:00" }, { @@ -10401,6 +10355,7 @@ "stdlib", "zf" ], + "abandoned": "laminas/laminas-stdlib", "time": "2018-08-28T21:34:05+00:00" } ], @@ -10692,7 +10647,7 @@ "version": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/livereload", + "url": "https://git.drupalcode.org/project/livereload.git", "reference": "223feb798d2af436818c3d8fd0b47718569ebd4b" }, "require": { @@ -10733,7 +10688,7 @@ "version": "1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/twig_xdebug", + "url": "https://git.drupalcode.org/project/twig_xdebug.git", "reference": "8.x-1.0" }, "dist": { @@ -10947,12 +10902,12 @@ "version": "v1.6.5", "source": { "type": "git", - "url": "https://github.com/mikey179/vfsStream.git", + "url": "https://github.com/bovigo/vfsStream.git", "reference": "d5fec95f541d4d71c4823bb5e30cf9b9e5b96145" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/mikey179/vfsStream/zipball/d5fec95f541d4d71c4823bb5e30cf9b9e5b96145", + "url": "https://api.github.com/repos/bovigo/vfsStream/zipball/d5fec95f541d4d71c4823bb5e30cf9b9e5b96145", "reference": "d5fec95f541d4d71c4823bb5e30cf9b9e5b96145", "shasum": "" }, @@ -11297,6 +11252,7 @@ "keywords": [ "tokenizer" ], + "abandoned": true, "time": "2017-12-04T08:55:13+00:00" }, { @@ -11425,6 +11381,7 @@ "mock", "xunit" ], + "abandoned": true, "time": "2015-10-02T06:51:40+00:00" }, { @@ -11884,7 +11841,6 @@ "drupal/inline_entity_form": 10, "drupal/entity_embed": 10, "drupal/dropzonejs": 15, - "drupal/security_review": 20, "drupal/livereload": 20 }, "prefer-stable": true, @@ -11893,5 +11849,6 @@ "platform-dev": [], "platform-overrides": { "php": "7.0.30" - } + }, + "plugin-api-version": "1.1.0" } diff --git a/vendor/composer/ClassLoader.php b/vendor/composer/ClassLoader.php index fce8549f0..03b9bb9c4 100644 --- a/vendor/composer/ClassLoader.php +++ b/vendor/composer/ClassLoader.php @@ -60,7 +60,7 @@ class ClassLoader public function getPrefixes() { if (!empty($this->prefixesPsr0)) { - return call_user_func_array('array_merge', $this->prefixesPsr0); + return call_user_func_array('array_merge', array_values($this->prefixesPsr0)); } return array(); diff --git a/vendor/composer/autoload_real.php b/vendor/composer/autoload_real.php index e0c489e86..2bab8ce2c 100644 --- a/vendor/composer/autoload_real.php +++ b/vendor/composer/autoload_real.php @@ -13,6 +13,9 @@ class ComposerAutoloaderInit045d6a3105edf51cf91c16e965235549 } } + /** + * @return \Composer\Autoload\ClassLoader + */ public static function getLoader() { if (null !== self::$loader) { diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 4240b09b1..c65055a1c 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1151,7 +1151,8 @@ "MIT" ], "description": "Promoting the interoperability of container objects (DIC, SL, etc.)", - "homepage": "https://github.com/container-interop/container-interop" + "homepage": "https://github.com/container-interop/container-interop", + "abandoned": "psr/container" }, { "name": "cweagans/composer-patches", @@ -1922,7 +1923,8 @@ "license": [ "GPL-2.0-or-later" ], - "description": "Composer Plugin for updating the Drupal scaffold files when using drupal/core" + "description": "Composer Plugin for updating the Drupal scaffold files when using drupal/core", + "abandoned": "drupal/core-composer-scaffold" }, { "name": "drupal/admin_toolbar", @@ -1930,7 +1932,7 @@ "version_normalized": "1.24.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/admin_toolbar", + "url": "https://git.drupalcode.org/project/admin_toolbar.git", "reference": "8.x-1.24" }, "dist": { @@ -2013,7 +2015,7 @@ "version_normalized": "2.4.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/advagg", + "url": "https://git.drupalcode.org/project/advagg.git", "reference": "8.x-2.4" }, "dist": { @@ -2087,7 +2089,7 @@ "version_normalized": "1.0.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/advanced_help", + "url": "https://git.drupalcode.org/project/advanced_help.git", "reference": "8.x-1.0-alpha2" }, "dist": { @@ -2164,7 +2166,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/better_formats", + "url": "https://git.drupalcode.org/project/better_formats.git", "reference": "e632735f9bec5e08db58716195edc25cc6db78b3" }, "require": { @@ -2211,7 +2213,7 @@ "version_normalized": "1.0.0.0-RC3", "source": { "type": "git", - "url": "https://git.drupal.org/project/blazy", + "url": "https://git.drupalcode.org/project/blazy.git", "reference": "8.x-1.0-rc3" }, "dist": { @@ -2276,7 +2278,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/block_class", + "url": "https://git.drupalcode.org/project/block_class.git", "reference": "8.x-1.0" }, "dist": { @@ -2378,7 +2380,7 @@ "version_normalized": "3.14.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/bootstrap", + "url": "https://git.drupalcode.org/project/bootstrap.git", "reference": "8.x-3.14" }, "dist": { @@ -2445,7 +2447,7 @@ "version_normalized": "4.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/bootstrap_layouts", + "url": "https://git.drupalcode.org/project/bootstrap_layouts.git", "reference": "8.x-4.2" }, "dist": { @@ -2503,7 +2505,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/ckeditor_templates", + "url": "https://git.drupalcode.org/project/ckeditor_templates.git", "reference": "8.x-1.0" }, "dist": { @@ -2548,7 +2550,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/ckeditor_widgets", + "url": "https://git.drupalcode.org/project/ckeditor_widgets.git", "reference": "2d462637f8804b6d0b530604d0376e97a23a3b7f" }, "require": { @@ -3091,7 +3093,7 @@ "version_normalized": "2.0.0.0-RC1", "source": { "type": "git", - "url": "https://git.drupal.org/project/crop", + "url": "https://git.drupalcode.org/project/crop.git", "reference": "8.x-2.0-rc1" }, "dist": { @@ -3149,7 +3151,7 @@ "version_normalized": "3.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/ctools", + "url": "https://git.drupalcode.org/project/ctools.git", "reference": "8.x-3.0" }, "dist": { @@ -3236,7 +3238,7 @@ "version_normalized": "1.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/devel", + "url": "https://git.drupalcode.org/project/devel.git", "reference": "8.x-1.2" }, "dist": { @@ -3320,7 +3322,7 @@ "version_normalized": "1.0.0.0-RC2", "source": { "type": "git", - "url": "https://git.drupal.org/project/diff", + "url": "https://git.drupalcode.org/project/diff.git", "reference": "8.x-1.0-rc2" }, "dist": { @@ -3408,7 +3410,7 @@ "version_normalized": "1.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/draggableviews", + "url": "https://git.drupalcode.org/project/draggableviews.git", "reference": "8.x-1.2" }, "dist": { @@ -3418,16 +3420,13 @@ "shasum": "0f5e9195ceec209552aa50f8ce3c230692c284db" }, "require": { - "drupal/core": "*" + "drupal/core": "^8" }, "require-dev": { "drupal/draggableviews_demo": "*" }, "type": "drupal-module", "extra": { - "branch-alias": { - "dev-1.x": "1.x-dev" - }, "drupal": { "version": "8.x-1.2", "datestamp": "1541518680", @@ -3493,7 +3492,7 @@ "version_normalized": "2.0.0.0-alpha3", "source": { "type": "git", - "url": "https://git.drupal.org/project/dropzonejs", + "url": "https://git.drupalcode.org/project/dropzonejs.git", "reference": "8.x-2.0-alpha3" }, "dist": { @@ -3582,7 +3581,7 @@ "version_normalized": "1.3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/drupalmoduleupgrader", + "url": "https://git.drupalcode.org/project/drupalmoduleupgrader.git", "reference": "8.x-1.3" }, "dist": { @@ -3693,7 +3692,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/embed", + "url": "https://git.drupalcode.org/project/embed.git", "reference": "8.x-1.0" }, "dist": { @@ -3756,7 +3755,7 @@ "version_normalized": "1.0.0.0-RC1", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity", + "url": "https://git.drupalcode.org/project/entity.git", "reference": "8.x-1.0-rc1" }, "dist": { @@ -3821,7 +3820,7 @@ "version_normalized": "1.6.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity_browser", + "url": "https://git.drupalcode.org/project/entity_browser.git", "reference": "8.x-1.6" }, "dist": { @@ -3907,7 +3906,7 @@ "version_normalized": "1.0.0.0-beta2", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity_embed", + "url": "https://git.drupalcode.org/project/entity_embed.git", "reference": "8.x-1.0-beta2" }, "dist": { @@ -3974,7 +3973,7 @@ "version_normalized": "1.6.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/entity_reference_revisions", + "url": "https://git.drupalcode.org/project/entity_reference_revisions.git", "reference": "8.x-1.6" }, "dist": { @@ -4034,7 +4033,7 @@ "version_normalized": "1.0.0.0-alpha8", "source": { "type": "git", - "url": "https://git.drupal.org/project/entityqueue", + "url": "https://git.drupalcode.org/project/entityqueue.git", "reference": "8.x-1.0-alpha8" }, "dist": { @@ -4099,7 +4098,7 @@ "version_normalized": "3.3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/environment_indicator", + "url": "https://git.drupalcode.org/project/environment_indicator.git", "reference": "8.x-3.3" }, "dist": { @@ -4152,7 +4151,7 @@ "version_normalized": "1.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/eu-cookie-compliance", + "url": "https://git.drupalcode.org/project/eu-cookie-compliance.git", "reference": "8.x-1.2" }, "dist": { @@ -4249,7 +4248,7 @@ "version_normalized": "1.1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/file_mdm", + "url": "https://git.drupalcode.org/project/file_mdm.git", "reference": "8.x-1.1" }, "dist": { @@ -4345,7 +4344,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/filefield_sources", + "url": "https://git.drupalcode.org/project/filefield_sources.git", "reference": "b19c6a839804f47587828d4a50e29e0720fa4c08" }, "require": { @@ -4388,7 +4387,7 @@ "version_normalized": "3.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/fontyourface", + "url": "https://git.drupalcode.org/project/fontyourface.git", "reference": "8.x-3.2" }, "dist": { @@ -4453,7 +4452,7 @@ "version_normalized": "1.0.0.0-beta1", "source": { "type": "git", - "url": "https://git.drupal.org/project/front", + "url": "https://git.drupalcode.org/project/front.git", "reference": "8.x-1.0-beta1" }, "dist": { @@ -4517,7 +4516,7 @@ "version_normalized": "2.0.0.0-beta2", "source": { "type": "git", - "url": "https://git.drupal.org/project/hacked", + "url": "https://git.drupalcode.org/project/hacked.git", "reference": "8.x-2.0-beta2" }, "dist": { @@ -4527,13 +4526,10 @@ "shasum": "84e018c23a39d83c2274cc009804f0abf4b9e9cb" }, "require": { - "drupal/core": "*" + "drupal/core": "^8" }, "type": "drupal-module", "extra": { - "branch-alias": { - "dev-2.x": "2.x-dev" - }, "drupal": { "version": "8.x-2.0-beta2", "datestamp": "1520956980", @@ -4557,40 +4553,45 @@ { "name": "Steven Jones", "homepage": "https://www.drupal.org/user/99644" + }, + { + "name": "colan", + "homepage": "https://www.drupal.org/user/58704" + }, + { + "name": "ivnish", + "homepage": "https://www.drupal.org/user/3547706" } ], "description": "Shows if drupal or any of its modules have been changed", "homepage": "https://www.drupal.org/project/hacked", "support": { - "source": "http://cgit.drupalcode.org/hacked" + "source": "https://git.drupalcode.org/project/hacked" } }, { "name": "drupal/htmlawed", - "version": "3.5.0", - "version_normalized": "3.5.0.0", + "version": "3.7.0", + "version_normalized": "3.7.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/htmLawed", - "reference": "8.x-3.5" + "url": "https://git.drupalcode.org/project/htmLawed.git", + "reference": "8.x-3.7" }, "dist": { "type": "zip", - "url": "https://ftp.drupal.org/files/projects/htmlawed-8.x-3.5.zip", - "reference": "8.x-3.5", - "shasum": "48cf7dda2d327fcc2024273a5b37861872e0f53f" + "url": "https://ftp.drupal.org/files/projects/htmlawed-8.x-3.7.zip", + "reference": "8.x-3.7", + "shasum": "f3b49eb425831947e3069369aecd5b32a27ac6cb" }, "require": { "drupal/core": "~8.0" }, "type": "drupal-module", "extra": { - "branch-alias": { - "dev-3.x": "3.x-dev" - }, "drupal": { - "version": "8.x-3.5", - "datestamp": "1530751724", + "version": "8.x-3.7", + "datestamp": "1586586866", "security-coverage": { "status": "covered", "message": "Covered by Drupal's security advisory policy" @@ -4611,7 +4612,7 @@ "description": "Use htmLawed to restrict and correct HTML for compliance with admin. policy and standards and for security", "homepage": "https://www.drupal.org/project/htmlawed", "support": { - "source": "http://cgit.drupalcode.org/htmlawed" + "source": "https://git.drupalcode.org/project/htmlawed" } }, { @@ -4620,7 +4621,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/http2_server_push", + "url": "https://git.drupalcode.org/project/http2_server_push.git", "reference": "8.x-1.0" }, "dist": { @@ -4665,7 +4666,7 @@ "version_normalized": "2.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/image_widget_crop", + "url": "https://git.drupalcode.org/project/image_widget_crop.git", "reference": "8.x-2.2" }, "dist": { @@ -4743,7 +4744,7 @@ "version_normalized": "2.3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/imagemagick", + "url": "https://git.drupalcode.org/project/imagemagick.git", "reference": "8.x-2.3" }, "dist": { @@ -4834,7 +4835,7 @@ "version_normalized": "1.0.0.0-RC1", "source": { "type": "git", - "url": "https://git.drupal.org/project/inline_entity_form", + "url": "https://git.drupalcode.org/project/inline_entity_form.git", "reference": "8.x-1.0-rc1" }, "dist": { @@ -4902,7 +4903,7 @@ "version_normalized": "1.0.0.0-alpha23", "source": { "type": "git", - "url": "https://git.drupal.org/project/layout_plugin", + "url": "https://git.drupalcode.org/project/layout_plugin.git", "reference": "8.x-1.0-alpha23" }, "dist": { @@ -4959,7 +4960,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/layouter", + "url": "https://git.drupalcode.org/project/layouter.git", "reference": "8.x-1.0" }, "dist": { @@ -5020,7 +5021,7 @@ "version_normalized": "3.0.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/libraries", + "url": "https://git.drupalcode.org/project/libraries.git", "reference": "8.x-3.0-alpha1" }, "dist": { @@ -5083,7 +5084,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/linkchecker", + "url": "https://git.drupalcode.org/project/linkchecker.git", "reference": "f59edc88741c60991526dc54adc89554c0ca571b" }, "require": { @@ -5136,7 +5137,7 @@ "version_normalized": "4.3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/linkit", + "url": "https://git.drupalcode.org/project/linkit.git", "reference": "8.x-4.3" }, "dist": { @@ -5184,7 +5185,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/livereload", + "url": "https://git.drupalcode.org/project/livereload.git", "reference": "223feb798d2af436818c3d8fd0b47718569ebd4b" }, "require": { @@ -5227,7 +5228,7 @@ "version_normalized": "1.0.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_actions", + "url": "https://git.drupalcode.org/project/media_entity_actions.git", "reference": "8.x-1.0-alpha2" }, "dist": { @@ -5292,7 +5293,7 @@ "version_normalized": "2.0.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_instagram", + "url": "https://git.drupalcode.org/project/media_entity_instagram.git", "reference": "8.x-2.0-alpha2" }, "dist": { @@ -5357,7 +5358,7 @@ "version_normalized": "2.0.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_slideshow", + "url": "https://git.drupalcode.org/project/media_entity_slideshow.git", "reference": "8.x-2.0-alpha1" }, "dist": { @@ -5410,7 +5411,7 @@ "version_normalized": "2.0.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/media_entity_twitter", + "url": "https://git.drupalcode.org/project/media_entity_twitter.git", "reference": "8.x-2.0-alpha2" }, "dist": { @@ -5472,7 +5473,7 @@ "version_normalized": "2.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/memcache", + "url": "https://git.drupalcode.org/project/memcache.git", "reference": "8.x-2.0" }, "dist": { @@ -5546,7 +5547,7 @@ "version_normalized": "1.7.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/metatag", + "url": "https://git.drupalcode.org/project/metatag.git", "reference": "8.x-1.7" }, "dist": { @@ -5616,7 +5617,7 @@ "version_normalized": "4.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/migrate_plus", + "url": "https://git.drupalcode.org/project/migrate_plus.git", "reference": "8.x-4.0" }, "dist": { @@ -5680,7 +5681,7 @@ "version_normalized": "4.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/migrate_tools", + "url": "https://git.drupalcode.org/project/migrate_tools.git", "reference": "8.x-4.0" }, "dist": { @@ -5749,7 +5750,7 @@ "version_normalized": "3.0.0.0-RC5", "source": { "type": "git", - "url": "https://git.drupal.org/project/migrate_upgrade", + "url": "https://git.drupalcode.org/project/migrate_upgrade.git", "reference": "8.x-3.0-rc5" }, "dist": { @@ -5822,7 +5823,7 @@ "version_normalized": "1.3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/pathauto", + "url": "https://git.drupalcode.org/project/pathauto.git", "reference": "8.x-1.3" }, "dist": { @@ -5885,7 +5886,7 @@ "version_normalized": "1.0.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/pathologic", + "url": "https://git.drupalcode.org/project/pathologic.git", "reference": "8.x-1.0-alpha1" }, "dist": { @@ -5942,7 +5943,7 @@ "version_normalized": "1.61.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/permissions_by_term", + "url": "https://git.drupalcode.org/project/permissions_by_term.git", "reference": "8.x-1.61" }, "dist": { @@ -6004,7 +6005,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/php", + "url": "https://git.drupalcode.org/project/php.git", "reference": "e5c1c4047f5f1522e5d630bca93d50c61ef6a2c0" }, "require": { @@ -6080,7 +6081,7 @@ "version_normalized": "1.3.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/redirect", + "url": "https://git.drupalcode.org/project/redirect.git", "reference": "8.x-1.3" }, "dist": { @@ -6131,69 +6132,13 @@ "source": "http://cgit.drupalcode.org/redirect" } }, - { - "name": "drupal/security_review", - "version": "dev-1.x", - "version_normalized": "dev-1.x", - "source": { - "type": "git", - "url": "https://git.drupal.org/project/security_review", - "reference": "9b8a34a21cac85913845df4eebb9a05c69de82d8" - }, - "require": { - "drupal/core": "~8.0" - }, - "type": "drupal-module", - "extra": { - "branch-alias": { - "dev-1.x": "1.x-dev" - }, - "drupal": { - "version": "8.x-1.x-dev", - "datestamp": "1532558881", - "security-coverage": { - "status": "not-covered", - "message": "Dev releases are not covered by Drupal security advisories." - } - }, - "patches_applied": [] - }, - "installation-source": "source", - "notification-url": "https://packages.drupal.org/8/downloads", - "license": [ - "GPL-2.0-or-later" - ], - "authors": [ - { - "name": "banviktor", - "homepage": "https://www.drupal.org/user/3176333" - }, - { - "name": "coltrane", - "homepage": "https://www.drupal.org/user/91990" - }, - { - "name": "dsnopek", - "homepage": "https://www.drupal.org/user/266527" - }, - { - "name": "greggles", - "homepage": "https://www.drupal.org/user/36762" - } - ], - "description": "Site security and configuration review module.", - "homepage": "https://www.drupal.org/project/security_review", - "support": { - "source": "http://cgit.drupalcode.org/security_review" - } - }, { "name": "drupal/simple_sitemap", "version": "2.12.0", "version_normalized": "2.12.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/simple_sitemap", + "url": "https://git.drupalcode.org/project/simple_sitemap.git", "reference": "8.x-2.12" }, "dist": { @@ -6256,7 +6201,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/slick", + "url": "https://git.drupalcode.org/project/slick.git", "reference": "8.x-1.0" }, "dist": { @@ -6312,7 +6257,7 @@ "version_normalized": "2.0.0.0-alpha2", "source": { "type": "git", - "url": "https://git.drupal.org/project/slick_media", + "url": "https://git.drupalcode.org/project/slick_media.git", "reference": "8.x-2.0-alpha2" }, "dist": { @@ -6366,7 +6311,7 @@ "version_normalized": "1.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/superfish", + "url": "https://git.drupalcode.org/project/superfish.git", "reference": "8.x-1.2" }, "dist": { @@ -6418,7 +6363,7 @@ "version_normalized": "1.1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/toc_formatter", + "url": "https://git.drupalcode.org/project/toc_formatter.git", "reference": "8.x-1.1" }, "dist": { @@ -6467,7 +6412,7 @@ "version_normalized": "1.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/tocify", + "url": "https://git.drupalcode.org/project/tocify.git", "reference": "8.x-1.2" }, "dist": { @@ -6524,7 +6469,7 @@ "version_normalized": "1.5.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/token", + "url": "https://git.drupalcode.org/project/token.git", "reference": "8.x-1.5" }, "dist": { @@ -6593,7 +6538,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/twig_xdebug", + "url": "https://git.drupalcode.org/project/twig_xdebug.git", "reference": "8.x-1.0" }, "dist": { @@ -6639,7 +6584,7 @@ "version_normalized": "1.0.0.0-alpha1", "source": { "type": "git", - "url": "https://git.drupal.org/project/typogrify", + "url": "https://git.drupalcode.org/project/typogrify.git", "reference": "8.x-1.0-alpha1" }, "dist": { @@ -6701,7 +6646,7 @@ "version_normalized": "1.2.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/video", + "url": "https://git.drupalcode.org/project/video.git", "reference": "8.x-1.2" }, "dist": { @@ -6763,7 +6708,7 @@ "version_normalized": "2.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/video_embed_field", + "url": "https://git.drupalcode.org/project/video_embed_field.git", "reference": "8.x-2.0" }, "dist": { @@ -6826,7 +6771,7 @@ "version_normalized": "1.0.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/videojs", + "url": "https://git.drupalcode.org/project/videojs.git", "reference": "8.x-1.0" }, "dist": { @@ -6882,7 +6827,7 @@ "version_normalized": "3.1.0.0", "source": { "type": "git", - "url": "https://git.drupal.org/project/views_bootstrap", + "url": "https://git.drupalcode.org/project/views_bootstrap.git", "reference": "8.x-3.1" }, "dist": { @@ -6946,7 +6891,7 @@ "version_normalized": "dev-1.x", "source": { "type": "git", - "url": "https://git.drupal.org/project/views_responsive_grid", + "url": "https://git.drupalcode.org/project/views_responsive_grid.git", "reference": "b8478ccf4cb6dc6837a0c1170a848e418499a357" }, "require": { @@ -7037,7 +6982,8 @@ "description": "Drush config-extra contains additional configuration Drush commands, notably config-merge.", "keywords": [ "Drush" - ] + ], + "abandoned": true }, { "name": "drush/drush", @@ -7182,12 +7128,12 @@ "version_normalized": "0.9.1.0", "source": { "type": "git", - "url": "https://github.com/njh/easyrdf.git", + "url": "https://github.com/easyrdf/easyrdf.git", "reference": "acd09dfe0555fbcfa254291e433c45fdd4652566" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/njh/easyrdf/zipball/acd09dfe0555fbcfa254291e433c45fdd4652566", + "url": "https://api.github.com/repos/easyrdf/easyrdf/zipball/acd09dfe0555fbcfa254291e433c45fdd4652566", "reference": "acd09dfe0555fbcfa254291e433c45fdd4652566", "shasum": "" }, @@ -7615,7 +7561,7 @@ "version_normalized": "9999999-dev", "source": { "type": "git", - "url": "https://github.com/grom358/pharborist.git", + "url": "git@github.com:grom358/pharborist.git", "reference": "0db9e51299a80e95b06857ed1809f59bbbab1af6" }, "dist": { @@ -7937,7 +7883,8 @@ "name": "Jakub Onderka", "email": "jakub.onderka@gmail.com" } - ] + ], + "abandoned": "php-parallel-lint/php-console-color" }, { "name": "jakub-onderka/php-console-highlighter", @@ -7985,7 +7932,8 @@ "homepage": "http://www.acci.cz/" } ], - "description": "Highlight PHP code in terminal" + "description": "Highlight PHP code in terminal", + "abandoned": "php-parallel-lint/php-console-highlighter" }, { "name": "jcalderonzumba/gastonjs", @@ -8380,12 +8328,12 @@ "version_normalized": "1.6.5.0", "source": { "type": "git", - "url": "https://github.com/mikey179/vfsStream.git", + "url": "https://github.com/bovigo/vfsStream.git", "reference": "d5fec95f541d4d71c4823bb5e30cf9b9e5b96145" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/mikey179/vfsStream/zipball/d5fec95f541d4d71c4823bb5e30cf9b9e5b96145", + "url": "https://api.github.com/repos/bovigo/vfsStream/zipball/d5fec95f541d4d71c4823bb5e30cf9b9e5b96145", "reference": "d5fec95f541d4d71c4823bb5e30cf9b9e5b96145", "shasum": "" }, @@ -8976,7 +8924,8 @@ "homepage": "https://github.com/sebastianbergmann/php-token-stream/", "keywords": [ "tokenizer" - ] + ], + "abandoned": true }, { "name": "phpunit/phpunit", @@ -9108,7 +9057,8 @@ "keywords": [ "mock", "xunit" - ] + ], + "abandoned": true }, { "name": "psr/container", @@ -11918,12 +11868,12 @@ "version_normalized": "1.3.0.0", "source": { "type": "git", - "url": "https://github.com/webmozart/assert.git", + "url": "https://github.com/webmozarts/assert.git", "reference": "0df1908962e7a3071564e857d86874dad1ef204a" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/webmozart/assert/zipball/0df1908962e7a3071564e857d86874dad1ef204a", + "url": "https://api.github.com/repos/webmozarts/assert/zipball/0df1908962e7a3071564e857d86874dad1ef204a", "reference": "0df1908962e7a3071564e857d86874dad1ef204a", "shasum": "" }, @@ -12076,7 +12026,8 @@ "http", "psr", "psr-7" - ] + ], + "abandoned": "laminas/laminas-diactoros" }, { "name": "zendframework/zend-escaper", @@ -12123,7 +12074,8 @@ "ZendFramework", "escaper", "zf" - ] + ], + "abandoned": "laminas/laminas-escaper" }, { "name": "zendframework/zend-feed", @@ -12186,7 +12138,8 @@ "ZendFramework", "feed", "zf" - ] + ], + "abandoned": "laminas/laminas-feed" }, { "name": "zendframework/zend-stdlib", @@ -12234,6 +12187,7 @@ "ZendFramework", "stdlib", "zf" - ] + ], + "abandoned": "laminas/laminas-stdlib" } ] diff --git a/web/libraries/htmLawed/htmLawed.php b/web/libraries/htmLawed/htmLawed.php index 6a7c53201..692e36a4a 100755 --- a/web/libraries/htmLawed/htmLawed.php +++ b/web/libraries/htmLawed/htmLawed.php @@ -1,7 +1,7 @@ (`.|[^"])*)"/sm', create_function('$m', 'return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", \'`"\'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", "\""), $m[0]), 1, -1);'), trim($t))); +if(!function_exists('hl_aux1')){function hl_aux1($m){ + return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", '`"'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", '"'), $m[0]), 1, -1); +}} +$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', 'hl_aux1', trim($t))); for($i = count(($t = explode(';', $t))); --$i>=0;){ $w = $t[$i]; if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a = substr($w, $e+1)))){continue;} @@ -643,11 +652,11 @@ if($e == 'font'){ $a2 = ''; while(preg_match('`(^|\s)(color|size)\s*=\s*(\'|")?(.+?)(\\3|\s|$)`i', $a, $m)){ $a = str_replace($m[0], ' ', $a); - $a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace('"', '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? ($a2 .= ' font-size: '. str_replace('"', '\'', $fs[$m]). ';') : ''); + $a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace(array('"', ';', ':'), '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? (' font-size: '. $fs[$m]. ';') : ''); } while(preg_match('`(^|\s)face\s*=\s*(\'|")?([^=]+?)\\2`i', $a, $m) or preg_match('`(^|\s)face\s*=(\s*)(\S+)`i', $a, $m)){ $a = str_replace($m[0], ' ', $a); - $a2 .= ' font-family: '. str_replace('"', '\'', trim($m[3])). ';'; + $a2 .= ' font-family: '. str_replace(array('"', ';', ':'), '\'', trim($m[3])). ';'; } $e = 'span'; return ltrim(str_replace('<', '', $a2)); } @@ -660,7 +669,10 @@ return ''; function hl_tidy($t, $w, $p){ // tidy/compact HTM if(strpos(' pre,script,textarea', "$p,")){return $t;} -$t = preg_replace(array('`(<\w[^>]*(?)\s+`', '`\s+`', '`(<\w[^>]*(?) `'), array(' $1', ' ', '$1'), preg_replace_callback(array('`(<(!\[CDATA\[))(.+?)(\]\]>)`sm', '`(<(!--))(.+?)(-->)`sm', '`(<(pre|script|textarea)[^>]*?>)(.+?)()`sm'), create_function('$m', 'return $m[1]. str_replace(array("<", ">", "\n", "\r", "\t", " "), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), $m[3]). $m[4];'), $t)); +if(!function_exists('hl_aux2')){function hl_aux2($m){ + return $m[1]. str_replace(array("<", ">", "\n", "\r", "\t", ' '), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), $m[3]). $m[4]; +}} +$t = preg_replace(array('`(<\w[^>]*(?)\s+`', '`\s+`', '`(<\w[^>]*(?) `'), array(' $1', ' ', '$1'), preg_replace_callback(array('`(<(!\[CDATA\[))(.+?)(\]\]>)`sm', '`(<(!--))(.+?)(-->)`sm', '`(<(pre|script|textarea)[^>]*?>)(.+?)()`sm'), 'hl_aux2', $t)); if(($w = strtolower($w)) == -1){ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array('<', '>', "\n", "\r", "\t", ' '), $t); } @@ -713,5 +725,5 @@ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array( function hl_version(){ // version -return '1.2.2'; +return '1.2.6'; } diff --git a/web/libraries/htmLawed/htmLawedTest.php b/web/libraries/htmLawed/htmLawedTest.php new file mode 100755 index 000000000..a03091e06 --- /dev/null +++ b/web/libraries/htmLawed/htmLawedTest.php @@ -0,0 +1,692 @@ + $v){ + $_POST[$k] = stripslashes($v); + } + ini_set('magic_quotes_gpc', 0); +} +if(get_magic_quotes_runtime()){ + set_magic_quotes_runtime(0); +} + +$_POST['enc'] = (isset($_POST['enc']) and preg_match('`^[-\w]+$`', $_POST['enc'])) ? $_POST['enc'] : 'utf-8'; + +// token for anti-CSRF +if(count($_POST)){ + if((empty($_GET['pre']) and ((!empty($_POST['token']) and !empty($_SESSION['token']) and $_POST['token'] != $_SESSION['token']) or empty($_POST[$_sid]) or $_POST[$_sid] != session_id() or empty($_COOKIE[$_sid]) or $_COOKIE[$_sid] != session_id())) or ($_POST[$_sid] != session_id())){ + $_POST = array('enc'=>'utf-8'); + } +} +if(empty($_GET['pre'])){ + $_SESSION['token'] = md5(uniqid(rand(), 1)); + $token = $_SESSION['token']; + session_regenerate_id(1); +} + +// compress +if(function_exists('gzencode') && isset($_SERVER['HTTP_ACCEPT_ENCODING']) && preg_match('`gzip|deflate`i', $_SERVER['HTTP_ACCEPT_ENCODING']) && !ini_get('zlib.output_compression')){ + ob_start('ob_gzhandler'); +} + +// HTM for unprocessed +if(isset($_POST['inputH'])){ + echo 'htmLawed test: HTML view of unprocessed input

  Rendering of raw/unprocessed input without an HTML doctype or charset declaration     close window | htmLawed test page

', $_POST['inputH'], '
'; + exit; +} + +// HTM for processed +if(isset($_POST['outputH'])){ + echo 'htmLawed test: HTML view of unprocessed input

  Rendering of filtered/processed input without an HTML doctype or charset declaration     close window | htmLawed test page

', $_POST['outputH'], '
'; + exit; +} + +// main +$_POST['text'] = isset($_POST['text']) ? $_POST['text'] : 'text to process; < '. $_limit. ' characters'. ($_hlimit ? ' (for binary hexdump view, < '. $_hlimit. ')' : ''); +$do = (!empty($_POST[$_sid]) && isset($_POST['text'][0]) && !isset($_POST['text'][$_limit])) ? 1 : 0; +$limit_exceeded = isset($_POST['text'][$_limit]) ? 1 : 0; +$pre_mem = memory_get_usage(); +$validation = (!empty($_POST[$_sid]) and isset($_POST['w3c_validate'][0])) ? 1 : 0; +include './htmLawed.php'; + +function format($t){ + $t = "\n". str_replace(array("\t", "\r\n", "\r", '&', '<', '>', "\n"), array(' ', "\n", "\n", '&', '<', '>', "¬
\n"), $t); + return str_replace(array('
', "\n ", ' '), array("\n
\n", "\n ", '  '), $t); +} + +function hexdump($d){ +// Mainly by Aidan Lister , Peter Waller + $hexi = ''; + $ascii = ''; + ob_start(); + echo '
';
+ $offset = 0;
+ $len = strlen($d);
+ for($i=$j=0; $i<$len; $i++)
+ {
+  // Convert to hexidecimal
+  $hexi .= sprintf("%02X ", ord($d[$i]));
+  // Replace non-viewable bytes with '.'
+  if(ord($d[$i]) >= 32){
+   $ascii .= htmlspecialchars($d[$i]);
+  }else{
+   $ascii .= '.';
+  } 
+  // Add extra column spacing
+  if($j == 7){
+   $hexi .= ' ';
+   $ascii .= '  ';
+  }
+  // Add row
+  if(++$j == 16 || $i == $len-1){
+   // Join the hexi / ascii output
+   echo sprintf("%04X   %-49s   %s", $offset, $hexi, $ascii);   
+   // Reset vars
+   $hexi = $ascii = '';
+   $offset += 16;
+   $j = 0;  
+   // Add newline   
+   if ($i !== $len-1){
+    echo "\n";
+   }
+  }
+ }
+ echo '
'; + $o = ob_get_contents(); + ob_end_clean(); + return $o; +} +?> + + + + + + + + +htmLawed (<?php echo hl_version();?>) test + + +
+ +
HTMLAWED TEST
+htm / txt documentation
+ +Input » (max. chars) + +
+ +
+ + +
+ + +'; + } +?> + + + + + + + + + + Validator tools: '; + } +} +?> + +Encoding: + +
+
+ +Input text is too long!
'; +} +?> + +
+ +Settings » + + +
+ +$v){ + if($k[0] == 'h' && $v != 'nil'){ + $cfg[substr($k, 1)] = $v; + } + } + + if(isset($cfg['anti_link_spam']) && $cfg['anti_link_spam'] && (!empty($cfg['anti_link_spam11']) or !empty($cfg['anti_link_spam12']))){ + $cfg['anti_link_spam'] = array($cfg['anti_link_spam11'], $cfg['anti_link_spam12']); + } + unset($cfg['anti_link_spam11'], $cfg['anti_link_spam12']); + if(isset($cfg['anti_mail_spam']) && $cfg['anti_mail_spam'] == 1){ + $cfg['anti_mail_spam'] = isset($cfg['anti_mail_spam1'][0]) ? $cfg['anti_mail_spam1'] : 0; + } + unset($cfg['anti_mail_spam11']); + if(isset($cfg['deny_attribute']) && $cfg['deny_attribute'] == 1){ + $cfg['deny_attribute'] = isset($cfg['deny_attribute1'][0]) ? $cfg['deny_attribute1'] : 0; + } + unset($cfg['deny_attribute1']); + if(isset($cfg['tidy']) && $cfg['tidy'] == 2){ + $cfg['tidy'] = isset($cfg['tidy2'][0]) ? $cfg['tidy2'] : 0; + } + unset($cfg['tidy2']); + if(isset($cfg['unique_ids']) && $cfg['unique_ids'] == 2){ + $cfg['unique_ids'] = isset($cfg['unique_ids2'][0]) ? $cfg['unique_ids2'] : 1; + } + unset($cfg['unique_ids2']); + unset($cfg['and_mark']); // disabling and_mark + + $cfg['show_setting'] = 'hlcfg'; + $st = microtime(); + $out = htmLawed($_POST['text'], $cfg, $_POST['spec']); + $et = microtime(); + echo '
Input code » ', strlen($_POST['text']), ' chars, ~', ($tag = round((substr_count($_POST['text'], '>') + substr_count($_POST['text'], '<'))/2)), ' tag', ($tag > 1 ? 's' : ''), ' ', (!isset($_POST['text'][$_hlimit]) ? ' Input binary » ' : ''), ' Finalized internal settings »  ', '
Output » htmLawed processing time ', number_format(((substr($et,0,9)) + (substr($et,-10)) - (substr($st,0,9)) - (substr($st,-10))),4), ' s', (($mem = memory_get_peak_usage()) !== false ? ', peak memory usage '. round(($mem-$pre_mem)/1048576, 2). ' MB' : ''), '
'; + if($_w3c_validate && $validation) + { +?> + + + + +
Output code »
', format($out), '
', (!isset($_POST['text'][$_hlimit]) ? ' Output binary »' : ''), ' Diff »
'; +} +else{ +?> + +
+ +
Use with a Javascript- and cookie-enabled, relatively new version of a common browser. + +
You can use text from this collection of test-cases in the input. Set the character encoding of the browser to Unicode/utf-8 before copying.' : ''); ?> + +

For anti-XSS tests, try the special test-page or see these results. + +

Change Encoding to reflect the character encoding of the input text. Even then, it may not work or some characters may not display properly because of variable browser support and because of the form interface. Developers can write some PHP code to capture the filtered input to a file if this is important. +

Refer to the htmLawed documentation (htm/txt) for details about Settings, and htmLawed's behavior and limitations. For Settings, incorrectly-specified values like regular expressions are silently ignored. One or more settings form-fields may have been disabled. Some characters are not allowed in the Spec field. + + +

Hovering the mouse over some of the text can provide additional information in some browsers. + + + +

Because of character-encoding issues, the W3C validator (anyway not perfect) may reject validation requests or invalidate otherwise-valid code, esp. if text was copy-pasted in the input box. Local applications like the HTML Validator Firefox browser add-on may be useful in such cases. + + + +
+ + + +
+ + diff --git a/web/libraries/htmLawed/htmLawed_README.htm b/web/libraries/htmLawed/htmLawed_README.htm new file mode 100644 index 000000000..c2f577453 --- /dev/null +++ b/web/libraries/htmLawed/htmLawed_README.htm @@ -0,0 +1,2291 @@ + + + + + + + + +htmLawed documentation | htmLawed PHP software is a free, open-source, customizable HTML input purifier and filter + + +
+

htmLawed documentation

+ +
1  About htmLawed
1.1  Example uses
1.2  Features
1.3  History
1.4  License & copyright
1.5  Terms used here
1.6  Availability
+2  Usage
2.1  Simple
2.2  Configuring htmLawed using the $config argument
2.3  Extra HTML specifications using the $spec argument
2.4  Performance time & memory usage
2.5  Some security risks to keep in mind
2.6  Use with kses() code
2.7  Tolerance for ill-written HTML
2.8  Limitations & work-arounds
2.9  Examples of usage
+3  Details
3.1  Invalid/dangerous characters
3.2  Character references/entities
3.3  HTML elements
+    3.3.1  HTML comments & CDATA sections
+    3.3.2  Tag-transformation for better compliance with standards
+    3.3.3  Tag balancing & proper nesting
+    3.3.4  Elements requiring child elements
+    3.3.5  Beautify or compact HTML
3.4  Attributes
+    3.4.1  Auto-addition of XHTML-required attributes
+    3.4.2  Duplicate/invalid id values
+    3.4.3  URL schemes & scripts in attribute values
+    3.4.4  Absolute & relative URLs
+    3.4.5  Lower-cased, standard attribute values
+    3.4.6  Transformation of deprecated attributes
+    3.4.7  Anti-spam & href
+    3.4.8  Inline style properties
+    3.4.9  Hook function for tag content
3.5  Simple configuration directive for most valid XHTML
3.6  Simple configuration directive for most safe HTML
3.7  Using a hook function
3.8  Obtaining finalized parameter values
3.9  Retaining non-HTML tags in input with mixed markup
+4  Other
4.1  Support
4.2  Known issues
4.3  Change-log
4.4  Testing
4.5  Upgrade, & old versions
4.6  Comparison with HTMLPurifier
4.7  Use through application plug-ins/modules
4.8  Use in non-PHP applications
4.9  Donate
4.10  Acknowledgements
+5  Appendices
5.1  Characters discouraged in HTML
5.2  Valid attribute-element combinations
5.3  CSS 2.1 properties accepting URLs
5.4  Microsoft Windows 1252 character replacements
5.5  URL format
5.6  Brief on htmLawed code
+ +
+
+
htmLawed_README.txt, 4 September 2021
+htmLawed 1.2.6, 4 September 2021
+Copyright Santosh Patnaik
+Dual licensed with LGPL 3 and GPL 2+
+A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed 
+
+ +

+1  About htmLawed +

(to top)
+
+  htmLawed is a PHP script to process text with HTML markup to make it more compliant with HTML standards and with administrative policies. It works by making HTML well-formed with balanced and properly nested tags, neutralizing code that introduces a security vulnerability or is used for cross-site scripting (XSS) attacks, allowing only specified HTML tags and attributes, and so on. Such lawing in of HTML code ensures that it is in accordance with the aesthetics, safety and usability requirements set by administrators.
+
+  htmLawed is highly customizable, and fast with low memory usage. Its free and open-source code is in one small file. It does not require extensions or libraries, and works in older versions of PHP as well. It is a good alternative to the HTML Tidy application.
+ +

+1.1  Example uses +

(to top)
+
+  *  Filtering of text submitted as comments on blogs to allow only certain HTML elements
+
+  *  Making RSS newsfeed items standard-compliant: often one uses an excerpt from an HTML document for the content, and with unbalanced tags, non-numerical entities, etc., such excerpts may not be XML-compliant
+
+  *  Beautifying or pretty-printing HTML code
+
+  *  Text processing for stricter XML standard-compliance: e.g., to have lowercased x in hexadecimal numeric entities becomes necessary if an HTML document with MathML content needs to be served as application/xml
+
+  *  Scraping text from web-pages
+
+  *  Transforming an HTML element to another
+ +
+

+1.2  Features +

(to top)
+
+  Key: * security feature, ^ standard compliance, ~ requires setting right options
+
+  htmLawed:
+
+  *  makes input more secure and standard-compliant for HTML as well as generic XML documents  ^
+  *  supports markup for HTML 5 and microdata, ARIA, Ruby, custom attributes, etc.  ^
+  *  can beautify or compact HTML  ~
+  *  works with input of almost any character encoding and does not affect it
+  *  has good tolerance for ill-written HTML
+
+  *  can enforce restricted use of elements  *~
+  *  ensures proper closure of empty elements like img  ^
+  *  transforms deprecated elements like font  ^~
+  *  can permit HTML comments and CDATA sections  ^~
+  *  can permit all elements, including script, object and form  ~
+
+  *  can restrict attributes by element  ^~
+  *  removes invalid attributes  ^
+  *  lower-cases element and attribute names  ^
+  *  provides required attributes, like alt for image  ^
+  *  transforms deprecated attributes  ^~
+  *  ensures attributes are declared only once  ^
+  *  permits custom, non-standard attributes as well as custom rules for standard attributes  ~
+
+  *  declares value for empty (minimized or boolean) attributes like checked  ^
+  *  checks for potentially dangerous attribute values  *~
+  *  ensures unique id attribute values  ^~
+  *  double-quotes attribute values  ^
+  *  lower-cases standard attribute values like password  ^
+
+  *  can restrict URL protocol/scheme by attribute  *~
+  *  can disable dynamic expressions in style values  *~
+
+  *  neutralizes invalid named character entities  ^
+  *  converts hexadecimal numeric entities to decimal ones, or vice versa  ^~
+  *  converts named entities to numeric ones for generic XML use  ^~
+
+  *  removes null characters  *
+  *  neutralizes potentially dangerous proprietary Netscape Javascript entities  *
+  *  replaces potentially dangerous soft-hyphen character in URL-accepting attribute values with spaces  *
+
+  *  removes common invalid characters not allowed in HTML or XML  ^
+  *  replaces characters from Microsoft applications like Word that are discouraged in HTML or XML  ^~
+  *  neutralize entities for characters invalid or discouraged in HTML or XML  ^
+  *  appropriately neutralize <, &, ", and > characters  ^*
+
+  *  understands improperly spaced tag content (e.g., spread over more than a line) and properly spaces them
+  *  attempts to balance tags for well-formedness  ^~
+  *  understands when omitable closing tags like </p> are missing  ^~
+  *  attempts to permit only validly nested tags  ^~
+  *  can either remove or neutralize bad content ^~
+  *  attempts to rectify common errors of plain-text misplacement (e.g., directly inside blockquote) ^~
+
+  *  has optional anti-spam measures such as addition of rel="nofollow" and link-disabling  ~
+  *  optionally makes relative URLs absolute, and vice versa  ~
+
+  *  optionally marks & to identify the entities for &, < and > introduced by it  ~
+
+  *  allows deployment of powerful hook functions to inject HTML, consolidate style attributes to class, finely check attribute values, etc.  ~
+ +
+

+1.3  History +

(to top)
+
+  htmLawed was created in 2007 for use with LabWiki, a wiki software developed at PHP Labware, as a suitable software could not be found. Existing PHP software like Kses and HTMLPurifier were deemed inadequate, slow, resource-intensive, or dependent on an extension or external application like HTML Tidy. The core logic of htmLawed, that of identifying HTML elements and attributes, was based on the Kses (version 0.2.2) HTML filter software of Ulf Harnhammar (it can still be used with code that uses Kses; see section 2.6.). Support for HTML version 5 was added in May 2013 in a beta and in February 2017 in a production release.
+
+  See section 4.3 for a detailed log of changes in htmLawed over the years, and section 4.10 for acknowledgements.
+ +
+

+1.4  License & copyright +

(to top)
+
+  htmLawed is free and open-source software, copyrighted by Santosh Patnaik, MD, PhD, and dual-licensed with LGPL version 3, and GPL version 2 (or later) licenses.
+ +
+

+1.5  Terms used here +

(to top)
+
+  In this document, only HTML body-level elements are considered. htmLawed does not have support for head-level elements, body, and the frame-level elements, frameset, frame and noframes, and these elements are ignored here.
+
+  *  administrator - or admin; person setting up the code that utilizes htmLawed; also, user
+  *  attributes - name-value pairs like href="http://x.com" in opening tags
+  *  author - see writer
+  *  character - atomic unit of text; internally represented by a numeric code-point as specified by the encoding or charset in use
+  *  entity - markup like &gt; and &#160; used to refer to a character
+  *  element - HTML element like a and img
+  *  element content -  content between the opening and closing tags of an element, like click of the <a href="x">click</a> element
+  *  HTML - implies XHTML unless specified otherwise
+  *  HTML body - content in the body container of an HTML document
+  *  input - text given to htmLawed to process
+  *  legal â€“ standard-compliant; also, valid
+  *  processing - involves filtering, correction, etc., of input
+  *  safe - absence or reduction of certain characters and HTML elements and attributes in HTML of text that can otherwise potentially, and circumstantially, expose text readers to security vulnerabilities like cross-site scripting attacks (XSS)
+  *  scheme - a URL protocol like http and ftp
+  *  specification - detailed description including rules that define HTML
+  *  standard â€“ widely accepted specification
+  *  style property - terms like border and height for which declarations are made in values for the style attribute of elements
+  *  tag - markers like <a href="x"> and </a> delineating element content; the opening tag can contain attributes
+  *  tag content - consists of tag markers < and >, element names like div, and possibly attributes
+  *  user - administrator
+  *  valid - see legal
+  *  writer - end-user like a blog commenter providing the input that is to be processed; also, author
+  *  XHTML - XML-compliant HTML; parsing rules for XHTML are more strict than for regular HTML
+ +
+

+1.6  Availability +

(to top)
+
+  htmLawed can be downloaded for free at its website. Besides the htmLawed.php file, the download has the htmLawed documentation (this document) in plain text and HTML formats, a script for testing, and a text file for test-cases. htmLawed is also available as a PHP class (OOP code) at its website.
+ +
+
+

+2  Usage +

(to top)
+
+  htmLawed works in PHP version 4.4 or higher. Either include() the htmLawed.php file, or copy-paste the entire code.
+
+  To use with PHP 4.3, have the following code included:
+
+ +    if(!function_exists('ctype_digit')){ +
+ +     function ctype_digit($var){ +
+ +      return ((int) $var == $var); +
+ +     } +
+ +    } +
+ +

+2.1  Simple +

(to top)
+
+  The input text to be processed, $text, is passed as an argument of type string; htmLawed() returns the processed string:
+
+ +    $processed = htmLawed($text); +
+
+  With the htmLawed class (section 1.6), usage is:
+
+ +    $processed = htmLawed::hl($text); +
+
Notes: (1) If input is from a $_GET or $_POST value, and magic quotes are enabled on the PHP setup, run stripslashes() on the input before passing to htmLawed. (2) htmLawed does not have support for head-level elements, body, and the frame-level elements, frameset, frame and noframes.
+
+  By default, htmLawed will process the text allowing all valid HTML elements/tags and commonly used URL schemes and CSS style properties. It will allow Javascript code, CDATA sections and HTML comments, balance tags, and ensure proper nesting of elements. Such actions can be configured using two other optional arguments -- $config and $spec:
+
+ +    $processed = htmLawed($text, $config, $spec); +
+
+  The $config and $spec arguments are detailed below. Some examples are shown in section 2.9. For maximum protection against XSS and other security vulnerabilities, consider using the safe parameter; see section 3.6.
+ +
+

+2.2  Configuring htmLawed using the $config argument +

(to top)
+
$config instructs htmLawed on how to tackle certain tasks. When $config is not specified, or not set as an array (e.g., $config = 1), htmLawed will take default actions. One or many of the task-action or parameter-value pairs can be specified in $config as array key-value pairs. If a parameter is not specified, htmLawed will use the default value for it, indicated further below. In PHP code, parameter values that are integers should not be quoted and should be used as numeric types (unless meant as string/text). Thus, for instance:
+
+ +    $config = array('comment'=>0, 'cdata'=>1, 'elements'=>'a, b, strong'); +
+ +    $processed = htmLawed($text, $config); +
+
+  Below are the various parameters that can be specified in $config.
+
+  Key: * default, ^ different from htmLawed versions below 1.2, ~ different default when valid_xhtml is set to 1 (see section 3.5), " different default when safe is set to 1 (see section 3.6)
+
abs_url
+  Make URLs absolute or relative; $config["base_url"] needs to be set; see section 3.4.4
+
-1 - make relative
0 - no action  *
1 - make absolute
+
and_mark
+  Mark & characters in the original input; see section 3.2
+
anti_link_spam
+  Anti-link-spam measure; see section 3.4.7
+
0 - no measure taken  *
array("regex1", "regex2") - will ensure a rel attribute with nofollow in its value in case the href attribute value matches the regular expression pattern regex1, and/or will remove href if its value matches the regular expression pattern regex2. E.g., array("/./", "/://\W*(?!(abc\.com|xyz\.org))/"); see section 3.4.7 for more.
+
anti_mail_spam
+  Anti-mail-spam measure; see section 3.4.7
+
0 - no measure taken  *
word - @ in mail address in href attribute value is replaced with specified word
+
balance
+  Balance tags for well-formedness and proper nesting; see section 3.3.3
+
0 - no
1 - yes  *
+
base_url
+  Base URL value that needs to be set if $config["abs_url"] is not 0; see section 3.4.4
+
cdata
+  Handling of CDATA sections; see section 3.3.1
+
0 - don't consider CDATA sections as markup and proceed as if plain text  "
1 - remove
2 - allow, but neutralize any <, >, and & inside by converting them to named entities
3 - allow  *
+
clean_ms_char
+  Replace discouraged characters introduced by Microsoft Word, etc.; see section 3.1
+
0 - no  *
1 - yes
2 - yes, but replace special single & double quotes with ordinary ones
+
comment
+  Handling of HTML comments; see section 3.3.1
+
0 - don't consider comments as markup and proceed as if plain text  "
1 - remove
2 - allow, but neutralize any <, >, and & inside by converting to named entities
3 - allow  *
+
css_expression
+  Allow dynamic CSS expression by not removing the expression from CSS property values in style attributes; see section 3.4.8
+
0 - remove  *
1 - allow
+
deny_attribute
+  Denied HTML attributes; see section 3.4
+
0 - none  *
string - dictated by values in string
on* - on* event attributes like onfocus not allowed  "
+
direct_nest_list
+  Allow direct nesting of a list within another without requiring it to be a list item; see section 3.3.4
+
0 - no  *
1 - yes
+
elements
+  Allowed HTML elements; see section 3.3
+
all - *^
* -acronym -big -center -dir -font -isindex -s -strike -tt -  ~^
applet, audio, canvas, embed, iframe, object, script, and video elements not allowed -  "^
+
hexdec_entity
+  Allow hexadecimal numeric entities and do not convert to the more widely accepted decimal ones, or convert decimal to hexadecimal ones; see section 3.2
+
0 - no
1 - yes  *
2 - convert decimal to hexadecimal ones
+
hook
+  Name of an optional hook function to alter the input string, $config or $spec before htmLawed enters the main phase of its work; see section 3.7
+
0 - no hook function  *
name - name is name of the hook function
+
hook_tag
+  Name of an optional hook function to alter tag content finalized by htmLawed; see section 3.4.9
+
0 - no hook function  *
name - name is name of the hook function
+
keep_bad
+  Neutralize bad tags by converting their < and > characters to entities, or remove them; see section 3.3.3
+
0 - remove
1 - neutralize both tags and element content
2 - remove tags but neutralize element content
3 and 4 - like 1 and 2 but remove if text (pcdata) is invalid in parent element
5 and 6 * -  like 3 and 4 but line-breaks, tabs and spaces are left
+
lc_std_val
+  For XHTML compliance, predefined, standard attribute values, like get for the method attribute of form, must be lowercased; see section 3.4.5
+
0 - no
1 - yes  *
+
make_tag_strict
+  Transform or remove these deprecated HTML elements, even if they are allowed by the admin: acronym, applet, big, center, dir, font, isindex, s, strike, tt; see section 3.3.2
+
0 - no
1 - yes, but leave applet and isindex that currently cannot be transformed  *^
2 - yes, removing applet and isindex elements and their contents (nested elements remain)  ~^
+
named_entity
+  Allow non-universal named HTML entities, or convert to numeric ones; see section 3.2
+
0 - convert
1 - allow  *
+
no_deprecated_attr
+  Allow deprecated attributes or transform them; see section 3.4.6
+
0 - allow
1 - transform, but name attributes for a and map are retained  *
2 - transform
+
parent
+  Name of the parent element, possibly imagined, that will hold the input; see section 3.3
+
safe
+  Magic parameter to make input the most secure against vulnerabilities like XSS without needing to specify other relevant $config parameters; see section 3.6
+
0 - no  *
1 - will auto-adjust other relevant $config parameters (indicated by " in this list)  ^
+
schemes
+  Array of attribute-specific, comma-separated, lower-cased list of schemes (protocols) allowed in attributes accepting URLs (or ! to deny any URL); * covers all unspecified attributes; see section 3.4.3
+
href: aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet; *:data, file, http, https, javascript  *^
href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https  "
+
show_setting
+  Name of a PHP variable to assign the finalized $config and $spec values; see section 3.8
+
style_pass
+  Ignore style attribute values, letting them through without any alteration
+
0 - no *
1 - htmLawed will let through any style value; see section 3.4.8
+
tidy
+  Beautify or compact HTML code; see section 3.3.5
+
-1 - compact
0 - no  *
1 or string - beautify (custom format specified by string)
+
unique_ids
id attribute value checks; see section 3.4.2
+
0 - no
1 - remove duplicate and/or invalid ones  *
word - remove invalid ones and replace duplicate ones with new and unique ones based on the word; the admin-specified word cannot contain a space character
+
valid_xhtml
+  Magic parameter to make input the most valid XHTML without needing to specify other relevant $config parameters; see section 3.5
+
0 - no  *
1 - will auto-adjust other relevant $config parameters (indicated by ~ in this list)
+
xml:lang
+  Auto-add xml:lang attribute; see section 3.4.1
+
0 - no  *
1 - add if lang attribute is present
2 - add if lang attribute is present, and remove lang  ~
+ +
+

+2.3  Extra HTML specifications using the $spec parameter +

(to top)
+
+  The $spec argument of htmLawed can be used to disallow an otherwise legal attribute for an element, or to restrict the attribute's values. This can also be helpful as a security measure (e.g., in certain versions of browsers, certain values can cause buffer overflows and denial of service attacks), or in enforcing admin policies. $spec is specified as a string of text containing one or more rules, with multiple rules separated from each other by a semi-colon (;). E.g.,
+
+ +    $spec = 'i=-*; td, tr=style, id, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt'; +
+ +    $processed = htmLawed($text, $config, $spec); +
+
+  Or,
+
+ +    $processed = htmLawed($text, $config, 'i=-*; td, tr=style, id, -*; a=id(match="/[a-z][a-z\d.:\-`"]*/i"/minval=2), href(maxlen=100/minlen=34); img=-width,-alt'); +
+
+  A rule begins with an HTML element name(s) (rule-element), for which the rule applies, followed by an equal-to (=) sign. A rule-element may represent multiple elements if comma (,)-separated element names are used. E.g., th,td,tr=.
+
+  Rest of the rule consists of comma-separated HTML attribute names. A minus (-) character before an attribute means that the attribute is not permitted inside the rule-element. E.g., -width. To deny all attributes, -* can be used.
+
+  Following shows examples of rule excerpts with rule-element a and the attributes that are being permitted:
+
+  *  a= - all
+  *  a=id - all
+  *  a=href, title, -id, -onclick - all except id and onclick
+  *  a=*, id, -id - all except id
+  *  a=-* - none
+  *  a=-*, href, title - none except href and title
+  *  a=-*, -id, href, title - none except href and title
+
+  Rules regarding attribute values are optionally specified inside round brackets after attribute names in solidus (/)-separated parameter = value pairs. E.g., title(maxlen=30/minlen=5). None or one or more of the following parameters may be specified:
+
+  *  oneof - one or more choices separated by | that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive
+
+  *  noneof - one or more choices separated by | that the value should not match; matching is case-sensitive
+
+  *  maxlen and minlen - upper and lower limits for the number of characters in the attribute value; specified in numbers
+
+  *  maxval and minval - upper and lower limits for the numerical value specified in the attribute value; specified in numbers
+
+  *  match and nomatch - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)
+
+  *  default - a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters
+
+  If default is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The default value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., maxlen to -1).
+
+  Examples with input <input title="WIDTH" value="10em" /><input title="length" value="5" class="ic1 ic2" /> are shown below.
+
Rule: input=title(maxlen=60/minlen=6), value
Output: <input value="10em" /><input title="length" value="5" class="ic1 ic2" />
+
Rule: input=title(), value(maxval=8/default=6)
Output: <input title="WIDTH" value="6" /><input title="length" value="5" class="ic1 ic2" />
+
Rule: input=title(nomatch=%w.d%i), value(match=%em%/default=6em)
Output: <input value="10em" /><input title="length" value="6em" class="ic1 ic2" />
+
Rule: input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)
Output: <input title="depth" value="10em" /><input title="depth" class="ic1" />
+
Special characters: The characters ;, ,, /, (, ), |, ~ and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be escaped by enclosing in pairs of double-quotes ("). A back-tick (`) can be used to escape a literal ". An example rule illustrating this is input=value(maxlen=30/match="/^\w/"/default="your `"ID`"").
+
Attributes that accept multiple values: If an attribute is accesskey, class, itemtype or rel, which can have multiple, space-separated values, or srcset, which can have multiple, comma-separated values, htmLawed will parse the attribute value for such multiple values and will individually test each of them.
+
Note: To deny an attribute for all elements for which it is legal, $config["deny_attribute"] (see section 3.4) can be used instead of $spec. Also, attributes can be allowed element-specifically through $spec while being denied globally through $config["deny_attribute"]. The hook_tag parameter (section 3.4.9) can also be possibly used to implement a functionality like that achieved using $spec functionality.
+
Note: Attributes' specifications for an element may be set through multiple rules. In case of conflict, the attribute specification in the first rule will get precedence.
+
$spec can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of $spec will permit the custom uses of the standard rel attribute in input (not permitted as per standards) and of a non-standard attribute, vFlag, in img.
+
+ +    $spec = 'img=vFlag; input=rel' +
+
+  The attribute names must begin with an alphabet and cannot have space, equal-to (=) and solidus (/) characters.
+ +
+

+2.4  Performance time & memory usage +

(to top)
+
+  The time and memory consumed during text processing by htmLawed depends on its configuration, the size of the input, and the amount, nestedness and well-formedness of the HTML markup within the input. In particular, tag balancing and beautification each can increase the processing time by about a quarter.
+
+  The htmLawed demo can be used to evaluate the performance and effects of different types of input and $config.
+ +
+

+2.5  Some security risks to keep in mind +

(to top)
+
+  When setting the parameters/arguments (like those to allow certain HTML elements) for use with htmLawed, one should bear in mind that the setting may let through potentially dangerous HTML code which is meant to steal user-data, deface a website, render a page non-functional, etc. Unless end-users, either people or software, supplying the content are completely trusted, security issues arising from the degree of HTML usage permitted through htmLawed's setting should be considered. For example, following increase security risks:
+
+  *  Allowing script, applet, embed, iframe, canvas, audio, video or object elements, or certain of their attributes like allowscriptaccess
+
+  *  Allowing HTML comments (some Internet Explorer versions are vulnerable with, e.g., <!--[if gte IE 4]><script>alert("xss");</script><![endif]-->
+
+  *  Allowing dynamic CSS expressions (some Internet Explorer versions are vulnerable)
+
+  *  Allowing the style attribute
+
+  To remove unsecure HTML, code-developers using htmLawed must set $config appropriately. E.g., $config["elements"] = "* -script" to deny the script element (section 3.3), $config["safe"] = 1 to auto-configure ceratin htmLawed parameters for maximizing security (section 3.6), etc.
+
+  Permitting the *style* attribute brings in risks of click-jacking, phishing, web-page overlays, etc., even when the safe parameter is enabled (see section 3.6). Except for URLs and a few other things like CSS dynamic expressions, htmLawed currently does not check every CSS style property. It does provide ways for the code-developer implementing htmLawed to do such checks through htmLawed's $spec argument, and through the hook_tag parameter (see section 3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended.
+
+  htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permissive circumstances, such as when the character encoding is left undefined through HTTP headers or HTML meta tags, this can allow for an exploit (like Google's UTF-7/XSS vulnerability of the past).
+
+  Ocassionally, though very rarely, the default settings with which htmLawed runs may change between different versions of htmLawed. Admins should keep this in mind when upgrading htmLawed. Important changes in htmLawed's default behavior in new releases of the software are noted in section 4.5 on upgrades.
+ +
+

+2.6  Use with kses() code +

(to top)
+
+  The Kses PHP script for HTML filtering is used by many applications (like WordPress, as in year 2012). It is possible to have such applications use htmLawed instead, since it is compatible with code that calls the kses() function declared in the Kses file (usually named kses.php). E.g., application code like this will continue to work after replacing Kses with htmLawed:
+
+ +    $comment_filtered = kses($comment_input, array('a'=>array(), 'b'=>array(), 'i'=>array())); +
+
+  If the application uses a Kses file that has the kses() function declared, then, to have the application use htmLawed instead of Kses, rename htmLawed.php (to kses.php, e.g.) and replace the Kses file (or just replace the code in the Kses file with the htmLawed code). If the kses() function in the Kses file had been renamed by the application developer (e.g., in WordPress, it is named wp_kses()), then appropriately rename the kses() function in the htmLawed code. Then, add the following code (which was a part of htmLawed prior to version 1.2):
+
+ +    // kses compatibility +
+ +    function kses($t, $h, $p=array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'gopher', 'mailto')){ +
+ +     foreach($h as $k=>$v){ +
+ +      $h[$k]['n']['*'] = 1; +
+ +     } +
+ +     $C['cdata'] = $C['comment'] = $C['make_tag_strict'] = $C['no_deprecated_attr'] = $C['unique_ids'] = 0; +
+ +     $C['keep_bad'] = 1; +
+ +     $C['elements'] = count($h) ? strtolower(implode(',', array_keys($h))) : '-*'; +
+ +     $C['hook'] = 'kses_hook'; +
+ +     $C['schemes'] = '*:'. implode(',', $p); +
+ +     return htmLawed($t, $C, $h); +
+ +     } +
+
+ +    function kses_hook($t, &$C, &$S){ +
+ +     return $t; +
+ +    } +
+
+  If the Kses file used by the application has been significantly altered by the application developers, then one may need a different approach. E.g., with WordPress (as in the year 2012), it is best to copy the htmLawed code, along with the above-mentioned additions, to wp_includes/kses.php, rename the newly added function kses() to wp_kses(), and delete the code for the original wp_kses() function.
+
+  If the Kses code has a non-empty hook function (e.g., wp_kses_hook() in case of WordPress), then the code for htmLawed's kses_hook() function should be appropriately edited. However, the requirement of the hook function should be re-evaluated considering that htmLawed has extra capabilities. With WordPress, the hook function is an essential one. The following code is suggested for the htmLawed kses_hook() in case of WordPress:
+
+ +    // kses compatibility +
+ +    function kses_hook($string, &$cf, &$spec){ +
+ +     $allowed_html = $spec; +
+ +     $allowed_protocols = array(); +
+ +     foreach($cf['schemes'] as $v){ +
+ +      foreach($v as $k2=>$v2){ +
+ +       if(!in_array($k2, $allowed_protocols)){ +
+ +        $allowed_protocols[] = $k2; +
+ +       } +
+ +      } +
+ +     } +
+ +     return wp_kses_hook($string, $allowed_html, $allowed_protocols); +
+ +    } +
+ +
+

+2.7  Tolerance for ill-written HTML +

(to top)
+
+  htmLawed can work with ill-written HTML code in the input. However, HTML that is too ill-written may not be read as HTML, and may therefore get identified as mere plain text. Following statements indicate the degree of looseness that htmLawed can work with, and can be provided in instructions to writers:
+
+  *  Tags must be flanked by < and > with no > inside -- any needed > should be put in as &gt;. It is possible for tag content (element name and attributes) to be spread over many lines instead of being on one. A space may be present between the tag content and >, like <div > and <img / >, but not after the <.
+
+  *  Element and attribute names need not be lower-cased.
+
+  *  Attribute string of elements may be liberally spaced with tabs, line-breaks, etc.
+
+  *  Attribute values may be single- and not double-quoted.
+
+  *  Left-padding of numeric entities (like, &#0160;, &x07ff;) with 0 is okay as long as the number of characters between between the & and the ; does not exceed 8. All entities must end with ; though.
+
+  *  Named character entities must be properly cased. Thus, &Lt; or &TILDE; will not be recognized as entities and will be neutralized.
+
+  *  HTML comments should not be inside element tags (they can be between tags), and should begin with <!-- and end with -->. Characters like <, >, and & may be allowed inside depending on $config, but any --> inside should be put in as --&gt;. Any -- inside will be automatically converted to -, and a space will be added before the --> comment-closing marker  unless $config["comments"] is set to 4 (section 3.3.1).
+
+  *  CDATA sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with <[CDATA[ and end with ]]>. Characters like <, >, and & may be allowed inside depending on $config, but any ]]> inside should be put in as ]]&gt;.
+
+  *  For attribute values, character entities &lt;, &gt; and &amp; should be used instead of characters < and >, and & (when & is not part of a character entity). This applies even for Javascript code in values of attributes like onclick.
+
+  *  Characters <, >, & and " that are part of actual Javascript, etc., code in script elements should be used as such and not be put in as entities like &gt;. Otherwise, though the HTML will be valid, the code may fail to work. Further, if such characters have to be used, then they should be put inside CDATA sections.
+
+  *  Simple instructions like "an opening tag cannot be present between two closing tags" and "nested elements should be closed in the reverse order of how they were opened" can help authors write balanced HTML. If tags are imbalanced, htmLawed will try to balance them, but in the process, depending on $config["keep_bad"], some code/text may be lost.
+
+  *  Input authors should be notified of admin-specified allowed elements, attributes, configuration values (like conversion of named entities to numeric ones), etc.
+
+  *  With $config["unique_ids"] not 0 and the id attribute being permitted, writers should carefully avoid using duplicate or invalid id values as even though htmLawed will correct/remove the values, the final output may not be the one desired. E.g., when <a id="home"></a><input id="home" /><label for="home"></label> is processed into
+<a id="home"></a><input id="prefix_home" /><label for="home"></label>.
+
+  *  Even if intended HTML is lost from an ill-written input, the processed output will be more secure and standard-compliant.
+
+  *  For URLs, unless $config["scheme"] is appropriately set, writers should avoid using escape characters or entities in schemes. E.g., htt&#112; (which many browsers will read as the harmless http) may be considered bad by htmLawed.
+
+  *  htmLawed will attempt to put plain text present directly inside blockquote, form, map and noscript elements (illegal as per the specifications) inside auto-generated div elements during tag balancing (section 3.3.3).
+ +
+

+2.8  Limitations & work-arounds +

(to top)
+
+  htmLawed's main objective is to make the input text more standard-compliant, secure for readers, and free of HTML elements and attributes considered undesirable by the administrator. Some of its current limitations, regardless of this objective, are noted below along with possible work-arounds.
+
+  It should be borne in mind that no browser application is 100% standard-compliant, standard specifications continue to evolve, and many browsers accept commonly used non-standard HTML. Regarding security, note that unsafe HTML code is not legally invalid per se.
+
+  *  By default, htmLawed will not strictly adhere to the current HTML standard. Admins can configure htmLawed to be more strict about standard compliance. Standard specification for HTML is continuously evolving. There are two bodies (W3C and WHATWG) that specify the standard and their specifications are not identical. E.g., as in mid-2013, the border attribute is valid in table as per W3C but not WHATWG. Thus, htmLawed may not be fully compliant with the standard of a specific group. The HTML standards/rules that htmLawed uses in its logic are a mix of the W3C and WHATWG standards, and can be lax because of the laxity of HTML interpreters (browsers) regarding standards.
+
+  *  In general, htmLawed processes input to generate output that is most likely to be standard-compatible in most users' browsers. Thus, for example, it does not enforce the required value of 0 on border attribute of img (an HTML version 5 specification).
+
+  *  htmLawed is meant for input that goes into the body of HTML documents. HTML's head-level elements are not supported, nor are the frame-specific elements frameset, frame and noframes. However, content of the latter elements can be individually filtered through htmLawed.
+
+  *  It cannot handle input that has non-HTML code like SVG and MathML. One way around is to break the input into pieces and passing only those without non-HTML code to htmLawed. Another is described in section 3.9. A third way may be to some how take advantage of the $config["and_mark"] parameter (see section 3.2).
+
+  *  By default, htmLawed won't check many attribute values for standard compliance. E.g., width="20m" with the dimension in non-standard m is let through. Implementing universal and strict attribute value checks can make htmLawed slow and resource-intensive. Admins should look at the hook_tag parameter (section 3.4.9) or $spec to enforce finer checks on attribute values.
+
+  *  By default, htmLawed considers all ARIA, data-*, event and microdata attributes as global attributes and permits them in all elements. This is not strictly standard-compliant. E.g., the itemtype microdata attribute is permitted only in elements that also have the itemscope attribute. Admins can configure htmLawed to be more strict about this (section 2.3).
+
+  *  The attributes, deprecated (which can be transformed too) or not, that it supports are largely those that are in the specifications. Only a few of the proprietary attributes are supported. However, $spec can be used to allow custom attributes (section 2.3).
+
+  *  Except for contained URLs and dynamic expressions (also optional), htmLawed does not check CSS style property values. Admins should look at using the hook_tag parameter (section 3.4.9) or $spec for finer checks. Perhaps the best option is to disallow style but allow class attributes with the right oneof or match values for class, and have the various class style properties in .css CSS stylesheet files.
+
+  *  htmLawed does not parse emoticons, decode BBcode, or wikify, auto-converting text to proper HTML. Similarly, it won't convert line-breaks to br elements. Such functions are beyond its purview. Admins should use other code to pre- or post-process the input for such purposes.
+
+  *  htmLawed cannot be used to have links force-opened in new windows (by auto-adding appropriate target and onclick attributes to a). Admins should look at Javascript-based DOM-modifying solutions for this. Admins may also be able to use a custom hook function to enforce such checks (hook_tag parameter; see section 3.4.9).
+
+  *  Nesting-based checks are not possible. E.g., one cannot disallow p elements specifically inside td while permitting it elsewhere. Admins may be able to use a custom hook function to enforce such checks (hook_tag parameter; see section 3.4.9).
+
+  *  Except for optionally converting absolute or relative URLs to the other type, htmLawed will not alter URLs (e.g., to change the value of query strings or to convert http to https. Having absolute URLs may be a standard-requirement, e.g., when HTML is embedded in email messages, whereas altering URLs for other purposes is beyond htmLawed's goals. Admins may be able to use a custom hook function to enforce such checks (hook_tag parameter; see section 3.4.9).
+
+  *  Pairs of opening and closing tags that do not enclose any content (like <em></em>) are not removed. This may be against the standard specification for certain elements (e.g., table). However, presence of such standard-incompliant code will not break the display or layout of content. Admins can also use simple regex-based code to filter out such code.
+
+  *  htmLawed does not check for certain element orderings described in the standard specifications (e.g., in a table, tbody is allowed before tfoot). Admins may be able to use a custom hook function to enforce such checks (hook_tag parameter; see section 3.4.9).
+
+  *  htmLawed does not check the number of nested elements. E.g., it will allow two caption elements in a table element, illegal as per standard specifications. Admins may be able to use a custom hook function to enforce such checks (hook_tag parameter; see section 3.4.9).
+
+  *  There are multiple ways to interpret ill-written HTML. E.g., in <small><small>text</small>, is it that the second closing tag for small is missing or is it that the second opening tag for small was put in by mistake? htmLawed corrects the HTML in the string assuming the former, while the user may have intended the string for the latter. This is an issue that is impossible to address perfectly.
+
+  *  htmLawed might convert certain entities to actual characters and remove backslashes and CSS comment-markers (/*) in style attribute values in order to detect malicious HTML like crafted, Internet Explorer browser-specific dynamic expressions like &#101;xpression.... If this is too harsh, admins can allow CSS expressions through htmLawed core but then use a custom function through the hook_tag parameter (section 3.4.9) to more specifically identify CSS expressions in the style attribute values. Also, using $config["style_pass"], it is possible to have htmLawed pass style attribute values without even looking at them (section 3.4.8).
+
+  *  htmLawed does not correct certain possible attribute-based security vulnerabilities (e.g., <a href="http://x%22+style=%22background-image:xss">x</a>). These arise when browsers mis-identify markup in escaped text, defeating the very purpose of escaping text (a bad browser will read the given example as <a href="http://x" style="background-image:xss">x</a>).
+
+  *  Because of poor Unicode support in PHP, htmLawed does not remove the high value HTML-invalid characters with multi-byte code-points. Such characters however are extremely unlikely to be in the input. (see section 3.1).
+
+  *  htmLawed does not check or correct the character encoding of the input it receives. In conjunction with permitting circumstances such as when the character encoding is left undefined through HTTP headers or HTML meta tags, this can permit an exploit (like Google's UTF-7/XSS vulnerability of the past). Also, htmLawed can mangle input text if it is not well-formed in terms of character encoding. Administrators can consider using code available elsewhere to check well-formedness of input text characters to correct any defect.
+
+  *  htmLawed is expected to work with input texts in ASCII standard-compatible single-byte encodings such as national variants of ASCII (like ISO-646-DE/German of the ISO 646 standard), extended ASCII variants (like ISO 8859-10/Turkish of the ISO 8859/ISO Latin standard), ISO 8859-based Windows variants (like Windows 1252), EBCDIC, Shift JIS (Japanese), GB-Roman (Chinese), and KS-Roman (Korean). It should also properly handle texts with variable-byte encodings like UTF-7 (Unicode) and UTF-8 (Unicode). However, htmLawed may mangle input texts with double-byte encodings like UTF-16 (Unicode), JIS X 0208:1997 (Japanese) and K SX 1001:1992 (Korean), or the UTF-32 (Unicode) quadruple-byte encoding. If an input text has such an encoding, administrators can use PHP's iconv functions, or some other mean, to convert text to UTF-8 before passing it to htmLawed.
+
+  *  Like any script using PHP's PCRE regex functions, PHP setup-specific low PCRE limit values can cause htmLawed to at least partially fail with very long input texts.
+ +
+

+2.9  Examples of usage +

(to top)
+
+  Safest, allowing only safe HTML markup --
+
+ +    $config = array('safe'=>1); +
+ +    $out = htmLawed($in, $config); +
+
+  Simplest, allowing all valid HTML markup including Javascript --
+
+ +    $out = htmLawed($in); +
+
+  Allowing all valid HTML markup but restricting URL schemes in src attribute values to http and https --
+
+ +    $config = array('schemes'=>'*:*; src:http, https'); +
+ +    $out = htmLawed($in, $config); +
+
+  Allowing only safe HTML and the elements a, em, and strong --
+
+ +    $config = array('safe'=>1, 'elements'=>'a, em, strong'); +
+ +    $out = htmLawed($in, $config); +
+
+  Not allowing elements script and object --
+
+ +    $config = array('elements'=>'* -script -object'); +
+ +    $out = htmLawed($in, $config); +
+
+  Not allowing attributes id and style --
+
+ +    $config = array('deny_attribute'=>'id, style'); +
+ +    $out = htmLawed($in, $config); +
+
+  Permitting only attributes title and href --
+
+ +    $config = array('deny_attribute'=>'* -title -href'); +
+ +    $out = htmLawed($in, $config); +
+
+  Remove bad/disallowed tags altogether instead of converting them to entities --
+
+ +    $config = array('keep_bad'=>0); +
+ +    $out = htmLawed($in, $config); +
+
+  Allowing attribute title only in a and not allowing attributes id, style, or scriptable on* attributes like onclick --
+
+ +    $config = array('deny_attribute'=>'title, id, style, on*'); +
+ +    $spec = 'a=title'; +
+ +    $out = htmLawed($in, $config, $spec); +
+
+  Allowing a custom attribute, vFlag, in img and permitting custom use of the standard attribute, rel, in input --
+
+ +    $spec = 'img=vFlag; input=rel'; +
+ +    $out = htmLawed($in, $config, $spec); +
+
+  Some case-studies are presented below.
+
1. A blog administrator wants to allow only a, em, strike, strong and u in comments, but needs strike and u transformed to span for better XHTML 1-strict compliance, and, he wants the a links to point only to http or https resources:
+
+ +    $processed = htmLawed($in, array('elements'=>'a, em, strike, strong, u', 'make_tag_strict'=>1, 'safe'=>1, 'schemes'=>'*:http, https'), 'a=href'); +
+
2. An author uses a custom-made web application to load content on his website. He is the only one using that application and the content he generates has all types of HTML, including scripts. The web application uses htmLawed primarily as a tool to correct errors that creep in while writing HTML and to take care of the occasional bad characters in copy-paste text introduced by Microsoft Office. The web application provides a preview before submitted input is added to the content. For the previewing process, htmLawed is set up as follows:
+
+ +    $processed = htmLawed($in, array('css_expression'=>1, 'keep_bad'=>1, 'make_tag_strict'=>1, 'schemes'=>'*:*', 'valid_xhtml'=>1)); +
+
+  For the final submission process, keep_bad is set to 6. A value of 1 for the preview process allows the author to note and correct any HTML mistake without losing any of the typed text.
+
3. A data-miner is scraping information in a specific table of similar web-pages and is collating the data rows, and uses htmLawed to reduce unnecessary markup and white-spaces:
+
+ +    $processed = htmLawed($in, array('elements'=>'tr, td', 'tidy'=>-1), 'tr, td ='); +
+ +
+
+

+3  Details +

(to top)
+

+3.1  Invalid/dangerous characters +

(to top)
+
+  Valid characters (more correctly, their code-points) in HTML or XML are, hexadecimally, 9, a, d, 20 to d7ff, and e000 to 10ffff, except fffe and ffff (decimally, 9, 10, 13, 32 to 55295, and 57344 to 1114111, except 65534 and 65535). htmLawed removes the invalid characters 0 to 8, b, c, and e to 1f.
+
+  Because of PHP's poor native support for multi-byte characters, htmLawed cannot check for the remaining invalid code-points. However, for various reasons, it is very unlikely for any of those characters to be in the input.
+
+  Characters that are discouraged (see section 5.1) but not invalid are not removed by htmLawed.
+
+  It (function hl_tag()) also replaces the potentially dangerous (in some Mozilla [Firefox] and Opera browsers) soft-hyphen character (code-point, hexadecimally, ad, or decimally, 173) in attribute values with spaces. Where required, the characters <, >, &, and " are converted to entities.
+
+  With $config["clean_ms_char"] set as 1 or 2, many of the discouraged characters (decimal code-points 127 to 159 except 133) that many Microsoft applications incorrectly use (as per the Windows 1252 [Cp-1252] or a similar encoding system), and the character for decimal code-point 133, are converted to appropriate decimal numerical entities (or removed for a few cases)-- see appendix in section 5.4. This can help avoid some display issues arising from copying-pasting of content.
+
+  With $config["clean_ms_char"] set as 2, characters for the hexadecimal code-points 82, 91, and 92 (for special single-quotes), and 84, 93, and 94 (for special double-quotes) are converted to ordinary single and double quotes respectively and not to entities.
+
+  The character values are replaced with entities/characters and not character values referred to by the entities/characters to keep this task independent of the character-encoding of input text.
+
+  The $config["clean_ms_char"] parameter should not be used if authors do not copy-paste Microsoft-created text, or if the input text is not believed to use the Windows 1252 (Cp-1252) or a similar encoding like Cp-1251 (otherwise, for example when UTF-8 encoding is in use, Japanese or Korean characters can get mangled). Further, the input form and the web-pages displaying it or its content should have the character encoding appropriately marked-up.
+ +
+

+3.2  Character references/entities +

(to top)
+
+  Valid character entities take the form &*; where * is #x followed by a hexadecimal number (hexadecimal numeric entity; like &#xA0; for non-breaking space), or alphanumeric like gt (external or named entity; like &nbsp; for non-breaking space), or # followed by a number (decimal numeric entity; like &#160; for non-breaking space). Character entities referring to the soft-hyphen character (the &shy; or \xad character; hexadecimal code-point ad [decimal 173]) in URL-accepting attribute values are always replaced with spaces; soft-hyphens in attribute values introduce vulnerabilities in some older versions of the Opera and Mozilla [Firefox] browsers.
+
+  htmLawed (function hl_ent()):
+
+  *  Neutralizes entities with multiple leading zeroes or missing semi-colons (potentially dangerous)
+
+  *  Lowercases the X (for XML-compliance) and A-F of hexadecimal numeric entities
+
+  *  Neutralizes entities referring to characters that are HTML-invalid (see section 3.1)
+
+  *  Neutralizes entities referring to characters that are HTML-discouraged (code-points, hexadecimally, 7f to 84, 86 to 9f, and fdd0 to fddf, or decimally, 127 to 132, 134 to 159, and 64991 to 64976). Entities referring to the remaining discouraged characters (see section 5.1 for a full list) are let through.
+
+  *  Neutralizes named entities that are not in the specifications
+
+  *  Optionally converts valid HTML-specific named entities except &gt;, &lt;, &quot;, and &amp; to decimal numeric ones (hexadecimal if $config["hexdec_entity"] is 2) for generic XML-compliance. For this, $config["named_entity"] should be 1.
+
+  *  Optionally converts hexadecimal numeric entities to the more widely supported decimal ones. For this, $config["hexdec_entity"] should be 0.
+
+  *  Optionally converts decimal numeric entities to the hexadecimal ones. For this, $config["hexdec_entity"] should be 2.
+
Neutralization refers to the entitification of & to &amp;.
+
Note: htmLawed does not convert entities to the actual characters represented by them; one can pass the htmLawed output through PHP's html_entity_decode function for that.
+
Note: If $config["and_mark"] is set, and set to a value other than 0, then the & characters in the original input are replaced with the control character for the hexadecimal code-point 6 (\x06; & characters introduced by htmLawed, e.g., after converting < to &lt;, are not affected). This allows one to distinguish, say, an &gt; introduced by htmLawed and an &gt; put in by the input writer, and can be helpful in further processing of the htmLawed-processed text (e.g., to identify the character sequence o(><)o to generate an emoticon image). When this feature is active, admins should ensure that the htmLawed output is not directly used in web pages or XML documents as the presence of the \x06 can break documents. Before use in such documents, and preferably before any storage, any remaining \x06 should be changed back to &, e.g., with:
+
+ +    $final = str_replace("\x06", '&', $prelim); +
+
+  Also, see section 3.9.
+ +
+

+3.3  HTML elements +

(to top)
+
+  htmLawed can be configured to allow only certain HTML elements (tags) in the input. Disallowed elements (just tag-content, and not element-content), based on $config["keep_bad"], are either neutralized (converted to plain text by entitification of < and >) or removed.
+
+  E.g., with only em permitted:
+
+  Input:
+
+ +      <em>My</em> website is <a href="http://a.com>a.com</a>. +
+
+  Output, with $config["keep_bad"] = 0:
+
+ +      <em>My</em> website is a.com. +
+
+  Output, with $config["keep_bad"] not 0:
+
+ +      <em>My</em> website is &lt;a href=""&gt;a.com&lt;/a&gt;. +
+
+  See section 3.3.3 for differences between the various non-zero $config["keep_bad"] values.
+
+  htmLawed by default permits these 118 HTML elements:
+
+ +    a, abbr, acronym, address, applet, area, article, aside, audio, b, bdi, bdo, big, blockquote, br, button, canvas, caption, center, cite, code, col, colgroup, command, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, embed, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hgroup, hr, i, iframe, img, input, ins, isindex, kbd, keygen, label, legend, li, link, main, map, mark, menu, meta, meter, nav, noscript, object, ol, optgroup, option, output, p, param, pre, progress, q, rb, rbc, rp, rt, rtc, ruby, s, samp, script, section, select, small, source, span, strike, strong, style, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, track, tt, u, ul, var, video, wbr +
+
+  The HTML version 4 elements acronym, applet, big, center, dir, font, strike, and tt are obsolete/deprecated in HTML version 5. On the other hand, the obsolete/deprecated HTML 4 elements embed, menu and u are no longer so in HTML 5. Elements new to HTML 5 are article, aside, audio, bdi, canvas, command, data, datalist, details, figure, figcaption, footer, header, hgroup, keygen, link, main, mark, meta, meter, nav, output, progress, section, source, style, summary, time, track, video, and wbr. The link, meta and style elements exist in HTML 4 but are not allowed in the HTML body. These 16 elements are empty elements that have an opening tag with possible content but no element content (thus, no closing tag): area, br, col, command, embed, hr, img, input, isindex, keygen, link, meta, param, source, track, and wbr.
+
+  With $config["safe"] = 1, the default set will exclude applet, audio, canvas, embed, iframe, object, script and video; see section 3.6.
+
+  When $config["elements"], which specifies allowed elements, is properly defined, and neither empty nor set to 0 or *, the default set is not used. To have elements added to or removed from the default set, a +/- notation is used. E.g., *-script-object implies that only script and object are disallowed, whereas *+embed means that noembed is also allowed. Elements can also be specified as comma separated names. E.g., a, b, i means only a, b and i are permitted. In this notation, *, + and - have no significance and can actually cause a mis-reading.
+
+  Some more examples of $config["elements"] values indicating permitted elements (note that empty spaces are liberally allowed for clarity):
+
+  *  a, blockquote, code, em, strong -- only a, blockquote, code, em, and strong
+  *  *-script -- all excluding script
+  *  * -acronym -big -center -dir -font -isindex -s -strike -tt -- only non-obsolete/deprecated elements of HTML5
+  *  *+noembed-script -- all including noembed excluding script
+
+  Some mis-usages (and the resulting permitted elements) that can be avoided:
+
+  *  -* -- none; instead of htmLawed, one might just use, e.g., the htmlspecialchars() PHP function
+  *  *, -script -- all except script; admin probably meant *-script
+  *  -*, a, em, strong -- all; admin probably meant a, em, strong
+  *  * -- all; admin need not have set elements
+  *  *-form+form -- all; a + will always over-ride any -
+  *  *, noembed -- only noembed; admin probably meant *+noembed
+  *  a, +b, i -- only a and i; admin probably meant a, b, i
+
+  Basically, when using the +/- notation, commas (,) should not be used, and vice versa, and * should be used with the former but not the latter.
+
Note: Even if an element that is not in the default set is allowed through $config["elements"], like noembed in the last example, it will eventually be removed during tag balancing unless such balancing is turned off ($config["balance"] set to 0). Currently, the only way around this, which actually is simple, is to edit htmLawed's PHP code which define various arrays in the function hl_bal() to accommodate the element and its nesting properties.
+
+  A possible second way to specify allowed elements is to set $config["parent"] to an element name that supposedly will hold the input, and to set $config["balance"] to 1. During tag balancing (see section 3.3.3), all elements that cannot legally nest inside the parent element will be removed. The parent element is auto-reset to div if $config["parent"] is empty, body, or an element not in htmLawed's default set of 118 elements.
+
Tag transformation is possible for improving compliance with HTML standards -- most of the obsolete/deprecated elements of HTML version 5 are converted to valid  ones; see section 3.3.2.
+ +

+3.3.1  Handling of comments & CDATA sections +

(to top)
+
CDATA sections have the format <![CDATA[...anything but not "]]>"...]]>, and HTML comments, <!--...anything but not "-->"... -->. Neither HTML comments nor CDATA sections can reside inside tags. HTML comments can exist anywhere else, but CDATA sections can exist only where plain text is allowed (e.g., immediately inside td element content but not immediately inside tr element content).
+
+  htmLawed (function hl_cmtcd()) handles HTML comments or CDATA sections depending on the values of $config["comment"] or $config["cdata"]. If 0, such markup is not looked for and the text is processed like plain text. If 1, it is removed completely. If 2, it is preserved but any <, > and & inside are changed to entities. If 3 for $config["cdata"], or 3 or 4 for $config["comment"], they are left as such. When $config["comment"] is set to 4, htmLawed will not force a space character before the --> comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).
+
+  Note that for the last two cases, HTML comments and CDATA sections will always be removed from tag content (function hl_tag()).
+
+  Examples:
+
+  Input:
+ +    <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a> +
+  Output ($config["comment"] = 0, $config["cdata"] = 2):
+ +    &lt;-- home link--&gt;<a href="home.htm"><![CDATA[x=&amp;y]]>Home</a> +
+  Output ($config["comment"] = 1, $config["cdata"] = 2):
+ +    <a href="home.htm"><![CDATA[x=&amp;y]]>Home</a> +
+  Output ($config["comment"] = 2, $config["cdata"] = 2):
+ +    <!-- home link --><a href="home.htm"><![CDATA[x=&amp;y]]>Home</a> +
+  Output ($config["comment"] = 2, $config["cdata"] = 1):
+ +    <!-- home link --><a href="home.htm">Home</a> +
+  Output ($config["comment"] = 3, $config["cdata"] = 3):
+ +    <!-- home link --><a href="home.htm"><![CDATA[x=&y]]>Home</a> +
+  Output ($config["comment"] = 4, $config["cdata"] = 3):
+ +    <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a> +
+
+  For standard-compliance, comments are given the form <!--comment -->, and any -- in the content is made -. When $config["comment"] is set to 4, htmLawed will not force a space character before the --> comment-closing marker.
+
+  When $config["safe"] = 1, CDATA sections and comments are considered plain text unless $config["comment"] or $config["cdata"] is explicitly specified; see section 3.6.
+ +
+

+3.3.2  Tag-transformation for better compliance with standards +

(to top)
+
+  If $config["make_tag_strict"] is set and not 0, following deprecated elements (and attributes), as per HTML 5 specification, even if admin-permitted, are mutated as indicated (element content remains intact; function hl_tag2()):
+
+  *  acronym - abbr
+  *  applet - based on $config["make_tag_strict"], unchanged (1) or removed (2)
+  *  big - span style="font-size: larger;"
+  *  center - div style="text-align: center;"
+  *  dir - ul
+  *  font (face, size, color) -    span style="font-family: ; font-size: ; color: ;" (size transformation reference)
+  *  isindex - based on $config["make_tag_strict"], unchanged (1) or removed (2)
+  *  s - span style="text-decoration: line-through;"
+  *  strike - span style="text-decoration: line-through;"
+  *  tt - code
+
+  For an element with a pre-existing style attribute value, the extra style properties are appended.
+
+  Example input:
+
+ +    <center> +
+ +     The PHP <s>software</s> script used for this <strike>web-page</strike> web-page is <font style="font-weight: bold " face=arial size='+3' color   =  "red  ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>. +
+ +    </center> +
+
+  The output:
+
+ +    <div style="text-align: center;"> +
+ +     The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <u style="color:green">PHP Labware</u>. +
+ +    </div> +
+ +
+

+3.3.3  Tag balancing & proper nesting +

(to top)
+
+  If $config["balance"] is set to 1, htmLawed (function hl_bal()) checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).
+
+  Depending on the value of $config["keep_bad"] (see section 2.2 and section 3.3), illegal content may be removed or neutralized to plain text by converting < and > to entities:
+
0 - remove; this option is available only to maintain Kses-compatibility and should not be used otherwise (see section 2.6)
1 - neutralize tags and keep element content
2 - remove tags but keep element content
3 and 4 - like 1 and 2, but keep element content only if text (pcdata) is valid in parent element as per specs
5 and 6 -  like 3 and 4, but line-breaks, tabs and spaces are left
+
+  Example input (disallowing the p element):
+
+ +    <*> Pseudo-tags <*> +
+ +    <xml>Non-HTML tag xml</xml> +
+ +    <p> +
+ +    Disallowed tag p +
+ +    </p> +
+ +    <ul>Bad<li>OK</li></ul> +
+
+  The output with $config["keep_bad"] = 1:
+
+ +    &lt;*&gt; Pseudo-tags &lt;*&gt; +
+ +    &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt; +
+ +    &lt;p&gt; +
+ +    Disallowed tag p +
+ +    &lt;/p&gt; +
+ +    <ul>Bad<li>OK</li></ul> +
+
+  The output with $config["keep_bad"] = 3:
+
+ +    &lt;*&gt; Pseudo-tags &lt;*&gt; +
+ +    &lt;xml&gt;Non-HTML tag xml&lt;/xml&gt; +
+ +    &lt;p&gt; +
+ +    Disallowed tag p +
+ +    &lt;/p&gt; +
+ +    <ul><li>OK</li></ul> +
+
+  The output with $config["keep_bad"] = 6:
+
+ +    &lt;*&gt; Pseudo-tags &lt;*&gt; +
+ +    Non-HTML tag xml +
+
+ +    Disallowed tag p +
+
+ +    <ul><li>OK</li></ul> +
+
+  An option like 1 is useful, e.g., when a writer previews his submission, whereas one like 3 is useful before content is finalized and made available to all.
+
Note: In the example above, unlike <*>, <xml> gets considered as a tag (even though there is no HTML element named xml). Thus, the keep_bad parameter's value affects <xml> but not <*>. In general, text matching the regular expression pattern <(/?)([a-zA-Z][a-zA-Z1-6]*)([^>]*?)\s?> is considered a tag (phrase enclosed by the angled brackets < and >, and starting [with an optional slash preceding] with an alphanumeric word that starts with an alphabet...), and is subjected to the keep_bad value.
+
+  Nesting/content rules for each of the 118 elements in htmLawed's default set (see section 3.3) are defined in function hl_bal(). This means that if a non-standard element besides embed is being permitted through $config["elements"], the element's tag content will end up getting removed if $config["balance"] is set to 1.
+
+  Plain text and/or certain elements nested inside blockquote, form, map and noscript need to be in block-level elements. This point is often missed during manual writing of HTML code. htmLawed attempts to address this during balancing. E.g., if the parent container is set as form, the input B:<input type="text" value="b" />C:<input type="text" value="c" /> is converted to <div>B:<input type="text" value="b" />C:<input type="text" value="c" /></div>.
+ +
+

+3.3.4  Elements requiring child elements +

(to top)
+
+  As per HTML specifications, elements such as those below require legal child elements nested inside them:
+
+ +    blockquote, dir, dl, form, map, menu, noscript, ol, optgroup, rbc, rtc, ruby, select, table, tbody, tfoot, thead, tr, ul +
+
+  In some cases, the specifications stipulate the number and/or the ordering of the child elements. A table can have 0 or 1 caption, tbody, tfoot, and thead, but they must be in this order: caption, thead, tfoot, tbody.
+
+  htmLawed currently does not check for conformance to these rules. Note that any non-compliance in this regard will not introduce security vulnerabilities, crash browser applications, or affect the rendering of web-pages.
+
+  With $config["direct_list_nest"] set to 1, htmLawed will allow direct nesting of ol, ul, or menu list within another ol, ul, or menu without requiring the child list to be within an li of the parent list. While this may not be standard-compliant, directly nested lists are rendered properly by almost all browsers. The parameter $config["direct_list_nest"] has no effect if tag balancing (section 3.3.3) is turned off.
+ +
+

+3.3.5  Beautify or compact HTML +

(to top)
+
+  By default, htmLawed will neither beautify HTML code by formatting it with indentations, etc., nor will it make it compact by removing un-needed white-space.(It does always properly white-space tag content.)
+
+  As per the HTML standards, spaces, tabs and line-breaks in web-pages (except those inside pre elements) are all considered equivalent, and referred to as white-spaces. Browser applications are supposed to consider contiguous white-spaces as just a single space, and to disregard white-spaces trailing opening tags or preceding closing tags. This white-space normalization allows the use of text/code beautifully formatted with indentations and line-spacings for readability. Such pretty HTML can, however, increase the size of web-pages, or make the extraction or scraping of plain text cumbersome.
+
+  With the $config parameter tidy, htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides pre, the script and textarea elements, CDATA sections, and HTML comments are not subjected to the tidying process.
+
+  To compact, use $config["tidy"] = -1; single instances or runs of white-spaces are replaced with a single space, and white-spaces trailing and leading open and closing tags, respectively, are removed.
+
+  To beautify, $config["tidy"] is set as 1, or for customized tidying, as a string like 2s2n. The s or t character specifies the use of spaces or tabs for indentation. The first and third characters, any of the digits 0-9, specify the number of spaces or tabs per indentation, and any parental lead spacing (extra indenting of the whole block of input text). The r and n characters are used to specify line-break characters: n for \n (Unix/Mac OS X line-breaks), rn or nr for \r\n (Windows/DOS line-breaks), or r for \r.
+
+  The $config["tidy"] value of 1 is equivalent to 2s0n. Other $config["tidy"] values are read loosely: a value of 4 is equivalent to 4s0n; t2, to 1t2n; s, to 2s0n; 2TR, to 2t0r; T1, to 1t1n; nr3, to 3s0nr, and so on. Except in the indentations and line-spacings, runs of white-spaces are replaced with a single space during beautification.
+
+  Input formatting using $config["tidy"] is not recommended when input text has mixed markup (like HTML + PHP).
+ +
+

+3.4  Attributes +

(to top)
+
+  In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in section 5.2. Using the $spec argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (section 2.3).
+
+  Custom data-* (data-star) attributes, where the first three characters of the value of star (*) after lower-casing do not equal xml, and the value of star does not have a colon (:), equal-to (=), newline, solidus (/), space or tab character, or any upper-case A-Z character are allowed in all elements. ARIA, event and microdata attributes like aria-live, onclick and itemid are also considered global attributes (section 5.2).
+
+  When $config["deny_attribute"] is not set, or set to 0, or empty (""), all attributes are permitted. Otherwise, $config["deny_attribute"] can be set as a list of comma-separated names of the denied attributes. on* can be used to refer to the group of potentially dangerous, script-accepting event attributes like onblur and onchange that have on at the beginning of their names. Similarly, aria* and data* can be used to respectively refer to the set of all ARIA and data-* attributes.
+
+  With $config["safe"] = 1 (section 3.6), the on* event attributes are automatically disallowed even if a value for $config["deny_attribute"] has been manually provided.
+
+  Note that attributes specified in $config["deny_attribute"] are denied globally, for all elements. To deny attributes for only specific elements, $spec (see section 2.3) can be used. $spec can also be used to element-specifically permit an attribute otherwise denied through $config["deny_attribute"].
+
+  Finer restrictions on attributes can also be put into effect through $config["hook_tag"] (section 3.4.9).
+
Note: To deny all but a few attributes globally, a simpler way to specify $config["deny_attribute"] would be to use the notation * -attribute1 -attribute2 .... Thus, a value of * -title -href implies that except href and title (where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter safe (section 3.6) will have no effect on deny_attribute. Values of aria* data*, and on* cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.
+
+  htmLawed (function hl_tag()) also:
+
+  *  Lower-cases attribute names
+  *  Removes duplicate attributes (last one stays)
+  *  Gives attributes the form name="value" and single-spaces them, removing unnecessary white-spacing
+  *  Provides required attributes (see section 3.4.1)
+  *  Double-quotes values and escapes any " inside them
+  *  Replaces the possibly dangerous soft-hyphen characters (hexadecimal code-point ad) in the values with spaces
+  *  Allows custom function to additionally filter/modify attribute values (see section 3.4.9)
+ +

+3.4.1  Auto-addition of XHTML-required attributes +

(to top)
+
+  If indicated attributes for the following elements are found missing, htmLawed (function hl_tag()) will add them (with values same as attribute names unless indicated otherwise below):
+
+  *  area - alt (area)
+  *  area, img - src, alt (image)
+  *  bdo - dir (ltr)
+  *  form - action
+  *  label - command
+  *  map - name
+  *  optgroup - label
+  *  param - name
+  *  style - scoped
+  *  textarea - rows (10), cols (50)
+
+  Additionally, with $config["xml:lang"] set to 1 or 2, if the lang but not the xml:lang attribute is declared, then the latter is added too, with a value copied from that of lang. This is for better standard-compliance. With $config["xml:lang"] set to 2, the lang attribute is removed (XHTML specification).
+
+  Note that the name attribute for map, invalid in XHTML, is also transformed if required -- see section 3.4.6.
+ +
+

+3.4.2  Duplicate/invalid id values +

(to top)
+
+  If $config["unique_ids"] is 1, htmLawed (function hl_tag()) removes id attributes with values that are not standards-compliant (must not have a space character) or duplicate. If $config["unique_ids"] is a word (without a non-word character like space), any duplicate but otherwise valid value will be appropriately prefixed with the word to ensure its uniqueness.
+
+  Even if multiple inputs need to be filtered (through multiple calls to htmLawed), htmLawed ensures uniqueness of id values as it uses a global variable ($GLOBALS["hl_Ids"] array). Further, an admin can restrict the use of certain id values by presetting this variable before htmLawed is called into use. E.g.:
+
+ +    $GLOBALS['hl_Ids'] = array('top'=>1, 'bottom'=>1, 'myform'=>1); // id values not allowed in input +
+ +    $processed = htmLawed($text); // filter input +
+ +
+

+3.4.3  URL schemes & scripts in attribute values +

(to top)
+
+  htmLawed edits attributes that take URLs as values if they are found to contain un-permitted schemes. E.g., if the afp scheme is not permitted, then <a href="afp://domain.org"> becomes <a href="denied:afp://domain.org">, and if Javascript is not permitted <a onclick="javascript:xss();"> becomes <a onclick="denied:javascript:xss();">.
+
+  By default htmLawed permits these schemes in URLs for the href attribute:
+
+ +    aim, app, feed, file, ftp, gopher, http, https, javascript, irc, mailto, news, nntp, sftp, ssh, tel, telnet +
+
+  Also, only data, file, http, https and javascript are permitted in these attributes that accept URLs:
+
+ +    action, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, src, srcset, style, usemap, and event attributes like onclick +
+
+  With $config["safe"] = 1 (section 3.6), the above is changed to disallow app, data and javascript.
+
+  These default sets are used when $config["schemes"] is not set (see section 2.2). To over-ride the defaults, $config["schemes"] is defined as a string of semi-colon-separated sub-strings of type attribute: comma-separated schemes. E.g., href: mailto, http, https; onclick: javascript; src: http, https. For unspecified attributes, data, file, http, https and javascript are permitted. This can be changed by passing schemes for * in $config["schemes"]. E.g., href: mailto, http, https; *: https, https.
+
* (asterisk) can be put in the list of schemes to permit all protocols. E.g., style: *; img: http, https results in protocols not being checked in style attribute values. However, in such cases, any relative-to-absolute URL conversion, or vice versa, (section 3.4.4) is not done. When an attribute is explicitly listed in $config["schemes"], then filtering is dictated by the setting for the attribute, with no effect of the setting for asterisk. That is, the set of attributes that asterisk refers to no longer includes the listed attribute.
+
+  Thus, to allow the xmpp scheme, one can set $config["schemes"] as href: mailto, http, https; *: http, https, xmpp, or href: mailto, http, https, xmpp; *: http, https, xmpp, or *: *, and so on. The consequence of each of these example values will be different (e.g., only the last two but not the first will allow xmpp in href)
+
+  As a side-note, one may find style: * useful as URLs in style attributes can be specified in a variety of ways, and the patterns that htmLawed uses to identify URLs may mistakenly identify non-URL text.
+
! can be put in the list of schemes to disallow all protocols as well as local URLs. Thus, with href: http, style: !, <a href="http://cnn.com" style="background-image: url(local.jpg);">CNN</a> will become <a href="http://cnn.com" style="background-image: url(denied:local.jpg);">CNN</a>
+
Note: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string src (e.g., dynsrc) or starts with o (e.g., onbeforecopy).
+
+  With $config["safe"] = 1, all URLs are disallowed in the style attribute values.
+ +
+

+3.4.4  Absolute & relative URLs in attribute values +

(to top)
+
+  htmLawed can make absolute URLs in attributes like href relative ($config["abs_url"] is -1), and vice versa ($config["abs_url"] is 1). URLs in scripts are not considered for this, and so are URLs like #section_6 (fragment), ?name=Tim#show (starting with query string), and ;var=1?name=Tim#show (starting with parameters). Further, this requires that $config["base_url"] be set properly, with the :// and a trailing slash (/), with no query string, etc. E.g., file:///D:/page/, https://abc.com/x/y/, or http://localhost/demo/ are okay, but file:///D:/page/?help=1, abc.com/x/y/ and http://localhost/demo/index.htm are not.
+
+  For making absolute URLs relative, only those URLs that have the $config["base_url"] string at the beginning are converted. E.g., with $config["base_url"] = "https://abc.com/x/y/", https://abc.com/x/y/a.gif and https://abc.com/x/y/z/b.gif become a.gif and z/b.gif respectively, while https://abc.com/x/c.gif is not changed.
+
+  When making relative URLs absolute, only values for scheme, network location (host-name) and path values in the base URL are inherited. See section 5.5 for more about the URL specification as per RFC 1808.
+ +
+

+3.4.5  Lower-cased, standard attribute values +

(to top)
+
+  Optionally, for standard-compliance, htmLawed (function hl_tag()) lower-cases standard attribute values to give, e.g., input type="password" instead of input type="Password", if $config["lc_std_val"] is 1. Attribute values matching those listed below for any of the elements listed further below (plus those for the type attribute of button or input) are lower-cased:
+
+ +    all, auto, baseline, bottom, button, captions, center, chapters, char, checkbox, circle, col, colgroup, color, cols, data, date, datetime, datetime-local, default, descriptions, email, file, get, groups, hidden, image, justify, left, ltr, metadata, middle, month, none, number, object, password, poly, post, preserve, radio, range, rect, ref, reset, right, row, rowgroup, rows, rtl, search, submit, subtitles, tel, text, time, top, url, week +
+
+ +    a, area, bdo, button, col, fieldset, form, img, input, object, ol, optgroup, option, param, script, select, table, td, textarea, tfoot, th, thead, tr, track, xml:space +
+
+  The following empty (minimized) attributes are always assigned lower-cased values (same as the attribute names):
+
+ +    checkbox, checked, command, compact, declare, defer, default, disabled, hidden, inert, ismap, itemscope, multiple, nohref, noresize, noshade, nowrap, open, radio, readonly, required, reversed, selected +
+ +
+

+3.4.6  Transformation of deprecated attributes +

(to top)
+
+  If $config["no_deprecated_attr"] is 0, then deprecated attributes are removed and, in most cases, their values are transformed to CSS style properties and added to the style attributes (function hl_tag()). Except for bordercolor for table, tr and td, the scores of proprietary attributes that were never part of any cross-browser standard are not supported in this functionality.
+
+  *  align in caption, div, h, h2, h3, h4, h5, h6, hr, img, input, legend, object, p, table - for img with value of left or right, becomes, e.g., float: left; for div and table with value center, becomes margin: auto; all others become, e.g., text-align: right
+  *  bgcolor in table, td, th and tr - E.g., bgcolor="#ffffff" becomes background-color: #ffffff
+  *  border in object - E.g., height="10" becomes height: 10px
+  *  bordercolor in table, td and tr - E.g., bordercolor=#999999 becomes border-color: #999999;
+  *  compact in dl, ol and ul - font-size: 85%
+  *  cellspacing in table - cellspacing="10" becomes border-spacing: 10px
+  *  clear in br - E.g., 'clear="all" becomes clear: both
+  *  height in td and th - E.g., height= "10" becomes height: 10px and height="*" becomes height: auto
+  *  hspace in img and object - E.g., hspace="10" becomes margin-left: 10px; margin-right: 10px
+  *  language in script - language="VBScript" becomes type="text/vbscript"
+  *  name in a, form, iframe, img and map - E.g., name="xx" becomes id="xx"
+  *  noshade in hr - border-style: none; border: 0; background-color: gray; color: gray
+  *  nowrap in td and th - white-space: nowrap
+  *  size in hr - E.g., size="10" becomes height: 10px
+  *  vspace in img and object - E.g., vspace="10" becomes margin-top: 10px; margin-bottom: 10px
+  *  width in hr, pre, table, td and th - like height
+
+  Example input:
+
+ +    <img src="j.gif" alt="image" name="dad's" /><img src="k.gif" alt="image" id="dad_off" name="dad" /> +
+ +    <br clear="left" /> +
+ +    <hr noshade size="1" /> +
+ +    <img name="img" src="i.gif" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" /> +
+ +    <table width="50em" align="center" bgcolor="red"> +
+ +     <tr> +
+ +      <td width="20%"> +
+ +       <div align="center"> +
+ +        <h3 align="right">Section</h3> +
+ +        <p align="right">Para</p> +
+ +       </div> +
+ +      </td> +
+ +      <td width="*"> +
+ +      </td> +
+ +     </tr> +
+ +    </table> +
+ +    <br clear="all" /> +
+
+  And the output with $config["no_deprecated_attr"] = 1:
+
+ +    <img src="j.gif" alt="image" id="dad's" /><img src="k.gif" alt="image" id="dad_off" /> +
+ +    <br style="clear: left;" /> +
+ +    <hr style="border-style: none; border: 0; background-color: gray; color: gray; size: 1px;" /> +
+ +    <img src="i.gif" alt="image" width="10em" height="20" style="padding:5px; float: left; margin-left: 10px; margin-right: 10px; margin-top: 10px; margin-bottom: 10px; border: 1px;" id="img" /> +
+ +    <table width="50em" style="margin: auto; background-color: red;"> +
+ +     <tr> +
+ +      <td style="width: 20%;"> +
+ +       <div style="margin: auto;"> +
+ +        <h3 style="text-align: right;">Section</h3> +
+ +        <p style="text-align: right;">Para</p> +
+ +       </div> +
+ +      </td> +
+ +      <td style="width: auto;"> +
+ +      </td> +
+ +     </tr> +
+ +    </table> +
+ +    <br style="clear: both;" /> +
+
+  For lang, deprecated in XHTML 1.1, transformation is taken care of through $config["xml:lang"]; see section 3.4.1.
+
+  The attribute name is deprecated in form, iframe, and img, and is replaced with id if an id attribute doesn't exist and if the name value is appropriate for id (i.e., doesn't have a non-word character like space). For such replacements for a and map, for which the name attribute is deprecated in XHTML 1.1, $config["no_deprecated_attr"] should be set to 2 (when set to 1, for these two elements, the name attribute is retained).
+ +
+

+3.4.7  Anti-spam & href +

(to top)
+
+  htmLawed (function hl_tag()) can check the href attribute values (link addresses) as an anti-spam (email or link spam) measure.
+
+  If $config["anti_mail_spam"] is not 0, the @ of email addresses in href values like mailto:a@b.com is replaced with text specified by $config["anti_mail_spam"]. The text should be of a form that makes it clear to others that the address needs to be edited before a mail is sent; e.g., <remove_this_antispam>@ (makes the example address a<remove_this_antispam>@b.com).
+
+  For regular links, one can choose to have a rel attribute with nofollow in its value (which tells some search engines to not follow a link). This can discourage link spammers. Additionally, or as an alternative, one can choose to empty the href value altogether (disable the link).
+
+  For use of these options, $config["anti_link_spam"] should be set as an array with values regex1 and regex2, both or one of which can be empty (like array("", "regex2")) to indicate that that option is not to be used. Otherwise, regex1 or regex2 should be PHP- and PCRE-compatible regular expression patterns: href values will be matched against them and those matching the pattern will accordingly be treated.
+
+  Note that the regular expressions should have delimiters, and be well-formed and preferably fast. Absolute efficiency/accuracy is often not needed.
+
+  An example, to have a rel attribute with nofollow for all links, and to disable links that do not point to domains abc.com and xyz.org:
+
+ +    $config["anti_link_spam"] = array('`.`', '`://\W*(?!(abc\.com|xyz\.org))`'); +
+ +
+

+3.4.8  Inline style properties +

(to top)
+
+  htmLawed can check URL schemes and dynamic expressions (to guard against Javascript, etc., script-based insecurities) in inline CSS style property values in the style attributes. (CSS properties like background-image that accept URLs in their values are noted in section 5.3.) Dynamic CSS expressions that allow scripting in the IE browser, and can be a vulnerability, can be removed from property values by setting $config["css_expression"] to 1 (default setting). Note that when $config["css_expression"] is set to 1, htmLawed will remove /* from the style values.
+
Note: Because of the various ways of representing characters in attribute values (URL-escapement, entitification, etc.), htmLawed might alter the values of the style attribute values, and may even falsely identify dynamic CSS expressions and URL schemes in them. If this is an important issue, checking of URLs and dynamic expressions can be turned off ($config["schemes"] = "...style:*...", see section 3.4.3, and $config["css_expression"] = 0). Alternately, admins can use their own custom function for finer handling of style values through the hook_tag parameter (see section 3.4.9).
+
+  It is also possible to have htmLawed let through any style value by setting $config["style_pass"] to 1.
+
+  As such, it is better to set up a CSS file with class declarations, disallow the style attribute, set a $spec rule (see section 2.3) for class for the oneof or match parameter, and ask writers to make use of the class attribute.
+ +
+

+3.4.9  Hook function for tag content +

(to top)
+
+  It is possible to utilize a custom hook function to alter the tag content htmLawed has finalized (i.e., after it has checked/corrected for required attributes, transformed attributes, lower-cased attribute names, etc.).
+
+  When $config parameter hook_tag is set to the name of a function, htmLawed (function hl_tag()) will pass on the element name, and the finalized attribute name-value pairs as array elements to the function. The function, after completing a task such as filtering or tag transformation, will typically return an empty string, the full opening tag string like <element_name attribute_1_name="attribute_1_value"...> (for empty elements like img and input, the element-closing slash / should also be included), etc.
+
+  Any hook_tag function, since htmLawed version 1.1.11, also receives names of elements in closing tags, such as a in the closing </a> tag of the element <a href="http://cnn.com">CNN</a>. No other value is passed to the function since a closing tag contains only element names. Typically, the function will return an empty string or a full closing tag (like </a>).
+
+  This is a powerful functionality that can be exploited for various objectives: consolidate-and-convert inline style attributes to class, convert embed elements to object, permit only one caption element in a table element, disallow embedding of certain types of media, inject HTML, use CSSTidy to sanitize style attribute values, etc.
+
+  As an example, the custom hook code below can be used to force a series of specifically ordered id attributes on all elements, and a specific param element inside all object elements:
+
+ +    function my_tag_function($element, $attribute_array=0){ +
+
+ +      // If second argument is not received, it means a closing tag is being handled +
+ +      if(is_numeric($attribute_array)){ +
+ +        return "</$element>"; +
+ +      } +
+
+ +      static $id = 0; +
+ +      // Remove any duplicate element +
+ +      if($element == 'param' && isset($attribute_array['allowscriptaccess'])){ +
+ +        return ''; +
+ +      } +
+
+ +      $new_element = ''; +
+
+ +      // Force a serialized ID number +
+ +      $attribute_array['id'] = 'my_'. $id; +
+ +      ++$id; +
+
+ +      // Inject param for allowscriptaccess +
+ +      if($element == 'object'){ +
+ +        $new_element = '<param id="my_'. $id. '"; allowscriptaccess="never" />'; +
+ +        ++$id; +
+ +      } +
+
+ +      $string = ''; +
+ +      foreach($attribute_array as $k=>$v){ +
+ +        $string .= " {$k}=\"{$v}\""; +
+ +      } +
+
+ +      static $empty_elements = array('area'=>1, 'br'=>1, 'col'=>1, 'command'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1, 'input'=>1, 'isindex'=>1, 'keygen'=>1, 'link'=>1, 'meta'=>1, 'param'=>1, 'source'=>1, 'track'=>1, 'wbr'=>1); +
+
+ +      return "<{$element}{$string}". (array_key_exists($element, $empty_elements) ? ' /' : ''). '>'. $new_element; +
+ +    } +
+
+  The hook_tag parameter is different from the hook parameter (section 3.7).
+
+  Snippets of hook function code developed by others may be available on the htmLawed website.
+ +
+

+3.5  Simple configuration directive for most valid XHTML +

(to top)
+
+  If $config["valid_xhtml"] is set to 1, some relevant $config parameters (indicated by ~ in section 2.2) are auto-adjusted. This allows one to pass the $config argument with a simpler value. If a value for a parameter auto-set through valid_xhtml is still manually provided, then that value will over-ride the auto-set value.
+ +
+

+3.6  Simple configuration directive for most safe HTML +

(to top)
+
Safe HTML refers to HTML that is restricted to reduce the vulnerability for scripting attacks (such as XSS) based on HTML code which otherwise may still be legal and compliant with the HTML standard specifications. When elements such as script and object, and attributes such as onmouseover and style are allowed in the input text, an input writer can introduce malevolent HTML code. Note that what is considered safe depends on the nature of the web application and the trust-level accorded to its users.
+
+  htmLawed allows an admin to use $config["safe"] to auto-adjust multiple $config parameters (such as elements which declares the allowed element-set), which otherwise would have to be manually set. The relevant parameters are indicated by " in section 2.2). Thus, one can pass the $config argument with a simpler value. Having the safe parameter set to 1 is equivalent to setting the following $config parameters to the noted values :
+
+ +    cdata - 0 +
+ +    comment - 0 +
+ +    deny_attribute - on* +
+ +    elements - * -applet -audio -canvas -embed -iframe -object -script -video +
+ +    schemes - href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet; style: !; *:file, http, https +
+
+  With safe set to 1, htmLawed considers CDATA sections and HTML comments as plain text, and prohibits the applet, audio, canvas, embed, iframe, object, script and video elements, and the on* attributes like onclick. ( There are $config parameters like css_expression that are not affected by the value set for safe but whose default values still contribute towards a more safe output.) Further, unless overridden by the value for parameter schemes (see section 3.4.3), the schemes app, data and javascript are not permitted, and URLs with schemes are neutralized so that, e.g., style="moz-binding:url(http://danger)" becomes style="moz-binding:url(denied:http://danger)".
+
+  Admins, however, may still want to completely deny the style attribute, e.g., with code like
+
+ +    $processed = htmLawed($text, array('safe'=>1, 'deny_attribute'=>'style')); +
+
+  Permitting the style attribute brings in risks of click-jacking, etc. CSS property values can render a page non-functional or be used to deface it. Except for URLs, dynamic expressions, and some other things, htmLawed does not completely check style values. It does provide ways for the code-developer implementing htmLawed to do such checks through the $spec argument, and through the hook_tag parameter (see section 3.4.8 for more). Disallowing style completely and relying on CSS classes and stylesheet files is recommended.
+
+  If a value for a parameter auto-set through safe is still manually provided, then that value can over-ride the auto-set value. E.g., with $config["safe"] = 1 and $config["elements"] = "* +script", script, but not applet, is allowed. Such over-ride does not occur for deny_attribute (for legacy reason) when comma-separated attribute names are provided as the value for this parameter (section 3.4); instead htmLawed will add on* to the value provided for deny_attribute.
+
+  A page illustrating the efficacy of htmLawed's anti-XSS abilities with safe set to 1 against XSS vectors listed by RSnake may be available here.
+ +
+

+3.7  Using a hook function +

(to top)
+
+  If $config["hook"] is not set to 0, then htmLawed will allow preliminarily processed input to be altered by a hook function named by $config["hook"] before starting the main work (but after handling of characters, entities, HTML comments and CDATA sections -- see code for function htmLawed()).
+
+  The hook function also allows one to alter the finalized values of $config and $spec.
+
+  Note that the hook parameter is different from the hook_tag parameter (section 3.4.9).
+
+  Snippets of hook function code developed by others may be available on the htmLawed website.
+ +
+

+3.8  Obtaining finalized parameter values +

(to top)
+
+  htmLawed can assign the finalized $config and $spec values to a variable named by $config["show_setting"]. The variable, made global by htmLawed, is set as an array with three keys: config, with the $config value, spec, with the $spec value, and time, with a value that is the Unix time (the output of PHP's microtime() function) when the value was assigned. Admins should use a PHP-compliant variable name (e.g., one that does not begin with a numerical digit) that does not conflict with variable names in their non-htmLawed code.
+
+  The values, which are also post-hook function (if any), can be used to auto-generate information (on, e.g., the elements that are permitted) for input writers.
+ +
+

+3.9  Retaining non-HTML tags in input with mixed markup +

(to top)
+
+  htmLawed does not remove certain characters that, though invalid, are nevertheless discouraged in HTML documents as per the specifications (see section 5.1). This can be utilized to deal with input that contains mixed markup. Input that may have HTML markup as well as some other markup that is based on the <, > and & characters is considered to have mixed markup. The non-HTML markup can be rather proprietary (like markup for emoticons/smileys), or standard (like MathML or SVG). Or it can be programming code meant for execution/evaluation (such as embedded PHP code).
+
+  To deal with such mixed markup, the input text can be pre-processed to hide the non-HTML markup by specifically replacing the <, > and & characters with some of the HTML-discouraged characters (see section 3.1.2). Post-htmLawed processing, the replacements are reverted.
+
+  An example (mixed HTML and PHP code in input text):
+
+ +    $text = preg_replace('`<\?php(.+?)\?>`sm', "\x83?php\\1?\x84", $text); +
+ +    $processed = htmLawed($text); +
+ +    $processed = preg_replace('`\x83\?php(.+?)\?\x84`sm', '<?php$1?>', $processed); +
+
+  This code will not work if $config["clean_ms_char"] is set to 1 (section 3.1), in which case one should instead deploy a hook function (section 3.7). (htmLawed internally uses certain control characters, code-points 1 to 7, and use of these characters as markers in the logic of hook functions may cause issues.)
+
+  Admins may also be able to use $config["and_mark"] to deal with such mixed markup; see section 3.2.
+ +
+
+

+4  Other +

(to top)
+

+4.1  Support +

(to top)
+
+  Software updates and forum-based community-support may be found at http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed. For general PHP issues (not htmLawed-specific), support may be found through internet searches and at http://php.net.
+ +
+

+4.2  Known issues +

(to top)
+
+  See section 2.8.
+ +
+

+4.3  Change-log +

(to top)
+
+  (The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the htmLawed.php file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.)
+
Version number - Release date. Notes
+
+  1.2.6 - 4 September 2021. Fixes a bug that arises when $config["deny_attribute"] has a data-* attribute with > 1 hyphen character
+
+  1.2.5 - 24 September 2019. Fixes two bugs in font tag transformation
+
+  1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in $config["schemes"]
+
+  1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4
+
+  1.2.4 - 31 August 2017. Removes use of PHP create_function function and $php_errormsg reserved variable (deprecated in PHP 7.2)
+
+  1.2.3 - 5 July 2017. New option value of 4 for $config["comments"] to stop enforcing a space character before the --> comment-closing marker
+
+  1.2.2 - 25 May 2017. Fix for a bug in parsing $spec that got introduced in version 1.2; also, $spec is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules
+
+  1.2.1.1 - 17 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes
+
+  1.2.1 - 15 May 2017. Fix for a potential security vulnerability in transformation of deprecated attributes
+
+  1.2 - 11 February 2017. (First beta release on 26 May 2013). Added support for HTML version 5; ARIA, data-* and microdata attributes; app, data, javascript and tel URL schemes (thus, javascript: is not filtered in default mode). Removed support for code using Kses functions (see section 2.6). Changes in revisions to the beta releases are not noted here.
+
+  1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in $spec
+
+  1.1.21 - 27 February 2016. Improvement and security fix in transforming font element
+
+  1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML 4) standard allowfullscreen attribute of iframe
+
+  1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc
+
+  1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags
+
+  1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with e modifier for compatibility with PHP 5.5.
+
+  1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specialy encoded space characters in URL schemes/protocols
+
+  1.1.15 - 11 August 2013. Improved tidying/prettifying functionality
+
+  1.1.14 - 8 August 2012. Fix for possible segmental loss of incremental indentation during tidying when balance is disabled; fix for non-effectuation under some circumstances of a corrective behavior to preserve plain text within elements like blockquote
+
+  1.1.13 - 22 July 2012. Added feature allowing use of custom, non-standard attributes or custom rules for standard attributes
+
+  1.1.12 - 5 July 2012. Fix for a bug in identifying an unquoted value of the face attribute
+
+  1.1.11 - 5 June 2012. Fix for possible problem with handling of multi-byte characters in attribute values in an mbstring.func_overload enviroment. $config["hook_tag"], if specified, now receives names of elements in closing tags.
+
+  1.1.10 - 22 October 2011. Fix for a bug in the tidy functionality that caused the entire input to be replaced with a single space; new parameter, $config["direct_list_nest"] to allow direct descendance of a list in a list. (5 April 2012. Dual licensing from LGPLv3 to LGPLv3 and GPLv2+.)
+
+  1.1.9.5 - 6 July 2011. Minor correction of a rule for nesting of li within dir
+
+  1.1.9.4 - 3 July 2010. Parameter schemes now accepts ! so any URL, even a local one, can be denied. An issue in which a second URL value in style properties was not checked was fixed.
+
+  1.1.9.3 - 17 May 2010. Checks for correct nesting of param
+
+  1.1.9.2 - 26 April 2010. Minor fix regarding rendering of denied URL schemes
+
+  1.1.9.1 - 26 February 2010. htmLawed now uses the LGPL version 3 license; support for flashvars attribute for embed
+
+  1.1.9 - 22 December 2009. Soft-hyphens are now removed only from URL-accepting attribute values
+
+  1.1.8.1 - 16 July 2009. Minor code-change to fix a PHP error notice
+
+  1.1.8 - 23 April 2009. Parameter deny_attribute now accepts the wild-card *, making it simpler to specify its value when all but a few attributes are being denied; fixed a bug in interpreting $spec
+
+  1.1.7 - 11-12 March 2009. Attributes globally denied through deny_attribute can be allowed element-specifically through $spec; $config["style_pass"] allowing letting through any style value introduced; altered logic to catch certain types of dynamic crafted CSS expressions
+
+  1.1.3-6 - 28-31 January - 4 February 2009. Altered logic to catch certain types of dynamic crafted CSS expressions
+
+  1.1.2 - 22 January 2009. Fixed bug in parsing of font attributes during tag transformation
+
+  1.1.1 - 27 September 2008. Better nesting correction when omitable closing tags are absent
+
+  1.1 - 29 June 2008. $config["hook_tag"] and $config["tidy"] introduced for custom tag/attribute check/modification/injection and output compaction/beautification; fixed a regex-in-$spec parsing bug
+
+  1.0.9 - 11 June 2008. Fix for a bug in checks for invalid HTML code-point entities
+
+  1.0.8 - 15 May 2008. Permit bordercolor attribute for table, td and tr
+
+  1.0.7 - 1 May 2008. Support for wmode attribute for embed; $config["show_setting"] introduced; improved $config["elements"] evaluation
+
+  1.0.6 - 20 April 2008. $config["and_mark"] introduced
+
+  1.0.5 - 12 March 2008. style URL schemes essentially disallowed when $config safe is on; improved regex for CSS expression search
+
+  1.0.4 - 10 March 2008. Improved corrections for blockquote, form, map and noscript
+
+  1.0.3 - 3 March 2008. Character entities for soft-hyphens are now replaced with spaces (instead of being removed); fix for a bug allowing td directly inside table; $config["safe"] introduced
+
+  1.0.2 - 13 February 2008. Improved implementation of $config["keep_bad"]
+
+  1.0.1 - 7 November 2007. Improved regex for identifying URLs, protocols and dynamic expressions (hl_tag() and hl_prot()); no error display with hl_regex()
+
+  1.0 - 2 November 2007. First release
+ +
+

+4.4  Testing +

(to top)
+
+  To test htmLawed using a form interface, a demo web-page is provided with the htmLawed distribution (htmLawed.php and htmLawedTest.php should be in the same directory on the web-server). A file with test-cases is also provided.
+ +
+

+4.5  Upgrade, & old versions +

(to top)
+
+  Upgrading is as simple as replacing the previous version of htmLawed.php, assuming the file was not modified for customized features. As htmLawed output is almost always used in static documents, upgrading should not affect old, finalized content.
+
Note: The following upgrades may affect the functionality of a specific htmLawed installation:
+
+  (1) From version 1.1-1.1.10 to 1.1.11 or later, if a hook_tag function is in use: In version 1.1.11 and later, elements in closing tags (and not just the opening tags) are also passed to the function. There are no attribute names/values to pass, so a hook_tag function receives only the element name. The hook_tag function therefore may have to be edited. See section 3.4.9.
+
+  (2) From version older than 1.2.beta to later, if htmLawed was used as Kses replacement with Kses code in use: In version 1.2.beta or later, htmLawed no longer provides direct support for code that uses Kses functions (see section 2.6).
+
+  (3) From version older than 1.2 to later, if htmLawed is used without $config["safe"] set to 1: Unlike previous versions, htmLawed version 1.2 and later permit data and javascript URL schemes by default (see section 3.4.3).
+
+  Old versions of htmLawed may be available online. E.g., for version 1.0, check http://www.bioinformatics.org/phplabware/downloads/htmLawed1.zip; for 1.1.1, http://www.bioinformatics.org/phplabware/downloads/htmLawed111.zip; and for 1.1.22, http://www.bioinformatics.org/phplabware/downloads/htmLawed1122.zip.
+ +
+

+4.6  Comparison with HTMLPurifier +

(to top)
+
+  The HTMLPurifier PHP library by Edward Yang is a very good HTML filtering script that uses object oriented PHP code. Compared to htmLawed, it (as of year 2015):
+
+  *  does not support PHP versions older than 5.0 (HTMLPurifier dropped PHP 4 support after version 2)
+
+  *  is 15-20 times bigger (scores of files totalling more than 750 kb)
+
+  *  consumes 10-15 times more RAM memory (just including the HTMLPurifier files without calling the filter requires a few MBs of memory)
+
+  *  is expectedly slower
+
+  *  lacks many of the extra features of htmLawed (like entity conversions and code compaction/beautification)
+
+  *  has poor documentation
+
+  However, HTMLPurifier has finer checks for character encodings and attribute values, and can log warnings and errors. Visit the HTMLPurifier website for updated information.
+ +
+

+4.7  Use through application plug-ins/modules +

(to top)
+
+  Plug-ins/modules to implement htmLawed in applications such as Drupal may have been developed. Check the application websites and the htmLawed forum.
+ +
+

+4.8  Use in non-PHP applications +

(to top)
+
+  Non-PHP applications written in Python, Ruby, etc., may be able to use htmLawed through system calls to the PHP engine. Such code may have been documented on the internet. Also check the forum on the htmLawed site.
+ +
+

+4.9  Donate +

(to top)
+
+  A donation in any currency and amount to appreciate or support this software can be sent by PayPal to this email address: drpatnaik at yahoo dot com.
+ +
+

+4.10  Acknowledgements +

(to top)
+
+  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Alexandre Chouinard, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.
+
+  Thank you!
+ +
+
+

+5  Appendices +

(to top)
+

+5.1  Characters discouraged in XHTML +

(to top)
+
+  Characters represented by the following hexadecimal code-points are not invalid, even though some validators may issue messages stating otherwise.
+
7f to 84, 86 to 9f, fdd0 to fddf, 1fffe, 1ffff, 2fffe, 2ffff, 3fffe, 3ffff, 4fffe, 4ffff, 5fffe, 5ffff, 6fffe, 6ffff, 7fffe, 7ffff, 8fffe, 8ffff, 9fffe, 9ffff, afffe, affff, bfffe, bffff, cfffe, cffff, dfffe, dffff, efffe, effff, ffffe, fffff, 10fffe and 10ffff
+ +
+

+5.2  Valid attribute-element combinations +

(to top)
+
+  *  includes deprecated attributes (marked ^), attributes for microdata (marked *), the non-standard bordercolor, and new-in-HTML5 attributes (marked ~); can have multiple comma-separated values (marked %); can have multiple space-separated values (marked $)
+  *  only non-frameset, HTML body elements
+  *  name for a and map, and lang are invalid in XHTML 1.1
+  *  target is valid for a in XHTML 1.1 and higher
+  *  xml:space is only for XHTML 1.1
+
+  abbr - td, th
+  accept - form, input
+  accept-charset - form
+  action - form
+  align - applet, caption^, col, colgroup, div^, embed, h1^, h2^, h3^, h4^, h5^, h6^, hr^, iframe, img^, input^, legend^, object^, p^, table^, tbody, td, tfoot, th, thead, tr
+  allowfullscreen - iframe
+  alt - applet, area, img, input
+  archive - applet, object
+  async~ - script
+  autocomplete~ - input
+  autofocus~ - button, input, keygen, select, textarea
+  autoplay~ - audio, video
+  axis - td, th
+  bgcolor - embed, table^, td^, th^, tr^
+  border - img, object^, table
+  bordercolor - table, td, tr
+  cellpadding - table
+  cellspacing - table
+  challenge~ - keygen
+  char - col, colgroup, tbody, td, tfoot, th, thead, tr
+  charoff - col, colgroup, tbody, td, tfoot, th, thead, tr
+  charset - a, script
+  checked - command, input
+  cite - blockquote, del, ins, q
+  classid - object
+  clear - br^
+  code - applet
+  codebase - object, applet
+  codetype - object
+  color - font
+  cols - textarea
+  colspan - td, th
+  compact - dir, dl^, menu, ol^, ul^
+  content - meta
+  controls~ - audio, video
+  coords - area, a
+  crossorigin~ - img
+  data - object
+  datetime - del, ins, time
+  declare - object
+  default~ - track
+  defer - script
+  dir - bdo
+  dirname~ - input, textarea
+  disabled - button, command, fieldset, input, keygen, optgroup, option, select, textarea
+  download~ - a
+  enctype - form
+  face - font
+  flashvars** - embed
+  for - label, output
+  form~ - button, fieldset, input, keygen, label, object, output, select, textarea
+  formaction~ - button, input
+  formenctype~ - button, input
+  formmethod~ - button, input
+  formnovalidate~ - button, input
+  formtarget~ - button, input
+  frame - table
+  frameborder - iframe
+  headers - td, th
+  height - applet, canvas, embed, iframe, img, input, object, td^, th^, video
+  high~ - meter
+  href - a, area, link
+  hreflang - a, area, link
+  hspace - applet, embed, img^, object^
+  icon~ - command
+  ismap - img, input
+  keytype~ - keygen
+  keyparams~ - keygen
+  kind~ - track
+  label - command, menu, option, optgroup, track
+  language - script^
+  list~ - input
+  longdesc - img, iframe
+  loop~ - audio, video
+  low~ - meter
+  marginheight - iframe
+  marginwidth - iframe
+  max~ - input, meter, progress
+  maxlength - input, textarea
+  media~ - a, area, link, source, style
+  mediagroup~ - audio, video
+  method - form
+  min~ - input, meter
+  model** - embed
+  multiple - input, select
+  muted~ - audio, video
+  name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, textarea
+  nohref - area
+  noshade - hr^
+  novalidate~ - form
+  nowrap - td^, th^
+  object - applet
+  open~ - details
+  optimum~ - meter
+  pattern~ - input
+  ping~ - a, area
+  placeholder~ - input, textarea
+  pluginspage** - embed
+  pluginurl** - embed
+  poster~ - video
+  pqg~ - keygen
+  preload~ - audio, video
+  prompt - isindex
+  pubdate~ - time
+  radiogroup* - command
+  readonly - input, textarea
+  required~ - input, select, textarea
+  rel$ - a, area, link
+  rev - a
+  reversed~ - old
+  rows - textarea
+  rowspan - td, th
+  rules - table
+  sandbox~ - iframe
+  scope - td, th
+  scoped~ - style
+  scrolling - iframe
+  seamless~ - iframe
+  selected - option
+  shape - area, a
+  size - font, hr^, input, select
+  sizes~ - link
+  span - col, colgroup
+  src - audio, embed, iframe, img, input, script, source, track, video
+  srcdoc~ - iframe
+  srclang~ - track
+  srcset~% - img
+  standby - object
+  start - ol
+  step~ - input
+  summary - table
+  target - a, area, form
+  type - a, area, button, command, embed, input, li, link, menu, object, ol, param, script, source, style, ul
+  typemustmatch~ - object
+  usemap - img, input, object
+  valign - col, colgroup, tbody, td, tfoot, th, thead, tr
+  value - button, data, input, li, meter, option, param, progress
+  valuetype - param
+  vspace - applet, embed, img^, object^
+  width - applet, canvas, col, colgroup, embed, hr^, iframe, img, input, object, pre^, table, td^, th^, video
+  wmode - embed
+  wrap~ - textarea
+
+  The following attributes, including event-specific ones and attributes of ARIA and microdata specifications, are considered global and allowed in all elements:
+
+  accesskey, aria-activedescendant, aria-atomic, aria-autocomplete, aria-busy, aria-checked, aria-controls, aria-describedby, aria-disabled, aria-dropeffect, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class$, contenteditable, contextmenu, dir, draggable, dropzone, hidden, id, inert, itemid, itemprop, itemref, itemscope, itemtype, lang, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, role, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space
+
+  Custom data-* attributes, where the first three characters of the value of star (*) after lower-casing do not equal xml and the value of star does not have a colon (:), equal-to (=), newline, solidus (/), space, tab, or any A-Z character, are also considered global and allowed in all elements.
+ +
+

+5.3  CSS 2.1 properties accepting URLs +

(to top)
+
+  background
+  background-image
+  content
+  cue-after
+  cue-before
+  cursor
+  list-style
+  list-style-image
+  play-during
+ +
+

+5.4  Microsoft Windows 1252 character replacements +

(to top)
+
+  Key: d double, l left, q quote, r right, s. single
+
+  Code-point (decimal) - hexadecimal value - replacement entity - represented character
+
+  127 - 7f - (removed) - (not used)
+  128 - 80 - &#8364; - euro
+  129 - 81 - (removed) - (not used)
+  130 - 82 - &#8218; - baseline s. q
+  131 - 83 - &#402; - florin
+  132 - 84 - &#8222; - baseline d q
+  133 - 85 - &#8230; - ellipsis
+  134 - 86 - &#8224; - dagger
+  135 - 87 - &#8225; - d dagger
+  136 - 88 - &#710; - circumflex accent
+  137 - 89 - &#8240; - permile
+  138 - 8a - &#352; - S Hacek
+  139 - 8b - &#8249; - l s. guillemet
+  140 - 8c - &#338; - OE ligature
+  141 - 8d - (removed) - (not used)
+  142 - 8e - &#381; - Z dieresis
+  143 - 8f - (removed) - (not used)
+  144 - 90 - (removed) - (not used)
+  145 - 91 - &#8216; - l s. q
+  146 - 92 - &#8217; - r s. q
+  147 - 93 - &#8220; - l d q
+  148 - 94 - &#8221; - r d q
+  149 - 95 - &#8226; - bullet
+  150 - 96 - &#8211; - en dash
+  151 - 97 - &#8212; - em dash
+  152 - 98 - &#732; - tilde accent
+  153 - 99 - &#8482; - trademark
+  154 - 9a - &#353; - s Hacek
+  155 - 9b - &#8250; - r s. guillemet
+  156 - 9c - &#339; - oe ligature
+  157 - 9d - (removed) - (not used)
+  158 - 9e - &#382; - z dieresis
+  159 - 9f - &#376; - Y dieresis
+ +
+

+5.5  URL format +

(to top)
+
+  An absolute URL has a protocol or scheme, a network location or hostname, and, optional path, parameters, query and fragment segments. Thus, an absolute URL has this generic structure:
+
+ +    (scheme) : (//network location) /(path) ;(parameters) ?(query) #(fragment) +
+
+  The schemes can only contain letters, digits, +, . and -. Hostname is the portion after the // and up to the first / (if any; else, up to the end) when : is followed by a // (e.g., abc.com in ftp://abc.com/def); otherwise, it consists of everything after the : (e.g., def@abc.com in mailto:def@abc.com').
+
Relative URLs do not have explicit schemes and network locations; such values are inherited from a base URL.
+ +
+

+5.6  Brief on htmLawed code +

(to top)
+
+  Much of the code's logic and reasoning can be understood from the documentation above.
+
+  The output of htmLawed is a text string containing the processed input. There is no custom error tracking.
+
Function arguments for htmLawed are:
+
+  *  $in - first argument; a text string; the input text to be processed. Any extraneous slashes added by PHP when magic quotes are enabled should be removed beforehand using PHP's stripslashes() function.
+
+  *  $config - second argument; an associative array; optional; named $C within htmLawed code. The array has keys with names like balance and keep_bad, and the values, which can be boolean, string, or array, depending on the key, are read to accordingly set the configurable parameters (indicated by the keys). All configurable parameters receive some default value if the value to be used is not specified by the user through $config. Finalized $config is thus a filtered and possibly larger array.
+
+  *  $spec - third argument; a text string; optional. The string has rules, written in an htmLawed-designated format, specifying element-specific attribute and attribute value restrictions. Function hl_spec() is used to convert the string to an associative-array, named $S within htmLawed code, for internal use. Finalized $spec is thus an array.
+
Finalized $config and $spec are made global variables while htmLawed is at work. Values of any pre-existing global variables with same names are noted, and their values are restored after htmLawed finishes processing the input (to capture the finalized values, the show_settings parameter of $config should be used). Depending on $config, another global variable hl_Ids, to track id attribute values for uniqueness, may be set. Unlike the other two variables, this one is not reset (or unset) post-processing.
+
+  Except for the main htmLawed() function, htmLawed's functions are name-spaced using the hl_ prefix. The functions and their roles are:
+
+  *  hl_attrval - check attribute values against $spec
+  *  hl_bal - balance tags and ensure proper nesting
+  *  hl_cmtcd - handle CDATA sections and HTML comments
+  *  hl_ent - handle character entities
+  *  hl_prot - check a URL scheme/protocol
+  *  hl_regex - check syntax of a regular expression
+  *  hl_spec - convert user-supplied $spec value to one used internally
+  *  hl_tag - handle element tags and attributes
+  *  hl_tag2 - transform element tags
+  *  hl_tidy - compact/beautify HTML
+  *  hl_version - report htmLawed version
+  *  htmLawed - main function
+
htmLawed() finalizes $spec (with the help of hl_spec()) and $config, and globalizes them. Finalization of $config involves setting default values if an inappropriate or invalid one is supplied. This includes calling hl_regex() to check well-formedness of regular expression patterns if such expressions are user-supplied through $config. htmLawed() then removes invalid characters like nulls and x01 and appropriately handles entities using hl_ent(). HTML comments and CDATA sections are identified and treated as per $config with the help of hl_cmtcd(). When retained, the < and > characters identifying them, and the <, > and & characters inside them, are replaced with control characters (code-points 1 to 5) till any tag balancing is completed.
+
+  After this initial processing htmLawed() identifies tags using regex and processes them with the help of hl_tag() --  a large function that analyzes tag content, filtering it as per HTML standards, $config and $spec. Among other things, hl_tag() transforms deprecated elements using hl_tag2(), removes attributes from closing tags, checks attribute values as per $spec rules using hl_attrval(), and checks URL protocols using hl_prot(). htmLawed() performs tag balancing and nesting checks with a call to hl_bal(), and optionally compacts/beautifies the output with proper white-spacing with a call to hl_tidy(). The latter temporarily replaces white-space, and <, > and & characters inside pre, script and textarea elements, and HTML comments and CDATA sections with control characters (code-points 1 to 5, and 7).
+
+  htmLawed permits the use of custom code or hook functions at two stages. The first, called inside htmLawed(), allows the input text as well as the finalized $config and $spec values to be altered right after the initial processing (see section 3.7). The second is called by hl_tag() once the tag content is finalized (see section 3.4.9).
+
+  The functionality of htmLawed is dictated by the external HTML standards. The code of htmLawed is thus written for a clear-cut aim, with not much concern for tweaking by other developers. The code is only minimally annotated with comments -- it is not meant to instruct. PHP developers familiar with the HTML specifications will see the logic, and others can always refer to the htmLawed documentation. +
+
+
+


HTM version of htmLawed_README.txt generated on 03 Sep, 2021 using rTxt2htm from PHP Labware +
+
+ + \ No newline at end of file diff --git a/web/libraries/htmLawed/htmLawed_README.txt b/web/libraries/htmLawed/htmLawed_README.txt index 08d5a0e5e..60189d2ec 100755 --- a/web/libraries/htmLawed/htmLawed_README.txt +++ b/web/libraries/htmLawed/htmLawed_README.txt @@ -1,6 +1,6 @@ /* -htmLawed_README.txt, 25 May 2017 -htmLawed 1.2.2, 25 May 2017 +htmLawed_README.txt, 4 September 2021 +htmLawed 1.2.6, 4 September 2021 Copyright Santosh Patnaik Dual licensed with LGPL 3 and GPL 2+ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed @@ -604,7 +604,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern * Named character entities must be properly cased. Thus, '≪' or '&TILDE;' will not be recognized as entities and will be `neutralized`. - * HTML comments should not be inside element tags (they can be between tags), and should begin with ''. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any '-->' inside should be put in as '-->'. Any '--' inside will be automatically converted to '-', and a space will be added before the comment delimiter '-->'. + * HTML comments should not be inside element tags (they can be between tags), and should begin with ''. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any '-->' inside should be put in as '-->'. Any '--' inside will be automatically converted to '-', and a space will be added before the '-->' comment-closing marker unless '$config["comments"]' is set to '4' (section:- #3.3.1). * 'CDATA' sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with '<[CDATA[' and end with ']]>'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any ']]>' inside should be put in as ']]>'. @@ -867,16 +867,16 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern 'CDATA' sections have the format '"...]]>', and HTML comments, '"... -->'. Neither HTML comments nor 'CDATA' sections can reside inside tags. HTML comments can exist anywhere else, but 'CDATA' sections can exist only where plain text is allowed (e.g., immediately inside 'td' element content but not immediately inside 'tr' element content). - htmLawed (function 'hl_cmtcd()') handles HTML comments or 'CDATA' sections depending on the values of '$config["comment"]' or '$config["cdata"]'. If '0', such markup is not looked for and the text is processed like plain text. If '1', it is removed completely. If '2', it is preserved but any '<', '>' and '&' inside are changed to entities. If '3', they are left as such. + htmLawed (function 'hl_cmtcd()') handles HTML comments or 'CDATA' sections depending on the values of '$config["comment"]' or '$config["cdata"]'. If '0', such markup is not looked for and the text is processed like plain text. If '1', it is removed completely. If '2', it is preserved but any '<', '>' and '&' inside are changed to entities. If '3' for '$config["cdata"]', or '3' or '4' for '$config["comment"]', they are left as such. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook). Note that for the last two cases, HTML comments and 'CDATA' sections will always be removed from tag content (function 'hl_tag()'). Examples: Input: - Home + Home Output ('$config["comment"] = 0, $config["cdata"] = 2'): - <-- home link -->Home + <-- home link-->Home Output ('$config["comment"] = 1, $config["cdata"] = 2'): Home Output ('$config["comment"] = 2, $config["cdata"] = 2'): @@ -885,8 +885,10 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern Home Output ('$config["comment"] = 3, $config["cdata"] = 3'): Home - - For standard-compliance, comments are given the form '', and any '--' in the content is made '-'. + Output ('$config["comment"] = 4, $config["cdata"] = 3'): + Home + + For standard-compliance, comments are given the form '', and any '--' in the content is made '-'. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker. When '$config["safe"] = 1', CDATA sections and comments are considered plain text unless '$config["comment"]' or '$config["cdata"]' is explicitly specified; see section:- #3.6. @@ -901,7 +903,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern * big - 'span style="font-size: larger;"' * center - 'div style="text-align: center;"' * dir - 'ul' - * font (face, size, color) - 'span style="font-family: ; font-size: ; color: ;"' (size transformation reference:- http://style.cleverchimp.com/font_size_intervals/altintervals.html) + * font (face, size, color) - 'span style="font-family: ; font-size: ; color: ;"' (size transformation reference:- http://web.archive.org/web/20180201141931/http://style.cleverchimp.com/font_size_intervals/altintervals.html) * isindex - based on '$config["make_tag_strict"]', unchanged ('1') or removed ('2') * s - 'span style="text-decoration: line-through;"' * strike - 'span style="text-decoration: line-through;"' @@ -918,7 +920,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern The output:
- The PHP software script used for this web-page web-page is htmLawedTest.php, from PHP Labware. + The PHP software script used for this web-page web-page is htmLawedTest.php, from PHP Labware.
@@ -1025,7 +1027,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern Note that attributes specified in '$config["deny_attribute"]' are denied globally, for all elements. To deny attributes for only specific elements, '$spec' (see section:- #2.3) can be used. '$spec' can also be used to element-specifically permit an attribute otherwise denied through '$config["deny_attribute"]'. - Finer restrictions on attributes can also be put into effect through '$config["deny_attribute"]' (section:- 3.4.9). + Finer restrictions on attributes can also be put into effect through '$config["hook_tag"]' (section:- #3.4.9). *Note*: To deny all but a few attributes globally, a simpler way to specify '$config["deny_attribute"]' would be to use the notation '* -attribute1 -attribute2 ...'. Thus, a value of '* -title -href' implies that except 'href' and 'title' (where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter 'safe' (section:- #3.6) will have no effect on 'deny_attribute'. Values of 'aria*' 'data*', and 'on*' cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively. @@ -1257,7 +1259,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern // Inject param for allowscriptaccess if($element == 'object'){ - $new_element = ''; + $new_element = ''; ++$id; } @@ -1367,6 +1369,18 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern (The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the 'htmLawed.php' file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.) `Version number - Release date. Notes` + + 1.2.6 - 4 September 2021. Fixes a bug that arises when '$config["deny_attribute"]' has a 'data-*' attribute with > 1 hyphen character + + 1.2.5 - 24 September 2019. Fixes two bugs in 'font' tag transformation + + 1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in '$config["schemes"]' + + 1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4 + + 1.2.4 - 31 August 2017. Removes use of PHP 'create_function' function and '$php_errormsg' reserved variable (deprecated in PHP 7.2) + + 1.2.3 - 5 July 2017. New option value of '4' for '$config["comments"]' to stop enforcing a space character before the '-->' comment-closing marker 1.2.2 - 25 May 2017. Fix for a bug in parsing '$spec' that got introduced in version 1.2; also, '$spec' is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules diff --git a/web/libraries/htmLawed/htmLawed_TESTCASE.txt b/web/libraries/htmLawed/htmLawed_TESTCASE.txt new file mode 100755 index 000000000..24b00e739 --- /dev/null +++ b/web/libraries/htmLawed/htmLawed_TESTCASE.txt @@ -0,0 +1,455 @@ +/* +htmLawed_TESTCASE.txt, 24 September 2019 +To test htmLawed +Copyright Santosh Patnaik +Dual licensed with LGPL 3 and GPL 2+ +A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed +*/ + +This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit. + +************************************************ +when viewing this file in a web browser, set the +character encoding to Unicode/UTF-8 +************************************************ + +--------------------- start -------------------- + +Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page
+ +
Attributes
+ +Xml:lang:, ,
+Standard, predefined value, or empty attribute: , ,
+Required: , image
+Quote & space variation: a, a, a
+Invalid: a
+Duplicated: a
+Deprecated: a,

+Casing:
+Custom: image
+Data-*: a
+Admin-restricted?: + +
Attribute values
+ +Duplicate ID value:, ,
+(try 'my_' for prefix)
+Double-quotes in value:, ,
+(try filter for CSS expression)
+CSS expression:

+Other: ,
+(try 'maxlen', 'maxval', etc., for 'input' in '$spec') + +
Blockquotes
+ +
abc

+
abc
def

+
abc
def

+
abc
def
ghi

+abc
def
ghi
+
QQQ
x

+
x
QQQ

+
x
QQQ
x

+
x
QQQ

x


+
+(try with blockquote parent) + +
CDATA sections
+ +Special characters inside: ]]>, 3.5, & 4 > 4 ]]>
+Normal: , CDATA follows:
+Malformed: , < ![CDATA check ]]>, , < ![CDATA check ] ]>
+Invalid: >CDATA in tag content,
text not allowed
+ +
Complex-1: deprecated elements
+ +
+The PHP software script used for this web-page webpage is htmLawedTest.php, from PHP Labware. +
+ +
Complex-2: deprecated attributes
+ +aa +
+
+image + + + + + +
+
+

Section

+

Para

+
  1. First item
+
+ 		+
  1. First item
+
+
+ +
Complex-3: embed, object, area
+ +
+ +
+ + +

navigate the site: 1 | 3 | 4

+ + + +value + + + + + + + + +
Complex-4: nested and other tables
+ +
Cell
Cell
Cell
Cell Cell Cell
Cell
Cell Cell Cell

+PCDATA wrong: Well
Hello

+Missing tr:
Well

+ +
Complex-5: pseudo, disallowed or non-HTML tags
+ +(Try different 'keep_bad' values) +<*> Pseudotags <*> +Non-HTML tag xml +

+Disallowed tag p +

+
    Bad
  • OK
+ +
Elements
+ +Unbalanced: check
+Non-XHTML:

+Malformed: < a href="">, , , , < /a>, < a href="">, a, a,
+Invalid: a
+Empty: a, a, atext
+Content invalid: 12
+Content invalid?:

(try setting 'form' as parent)
+Casing:
+Check for tidy:
hi
+ +
Entities
+ +Special: & 3 < 2 & 5>4 and j >i >a & ia
+Padding: B B f f  
+Malformed: & #x27;, &x27;, ' &TILDE;, &tilde
+Invalid: , �, , �, ￿, &bad;
+Discouraged characters: , „, ﷠, 􏿾
+Context: '>', <?
+Casing: ', ', &TILDE;, ˜ +
+(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions) + +
Format
+ +Valid but ill-formatted: text +text + text text
p r e
+ text text
+text none text +text none t e x t + text none t e x t + +text none t e x t + +
+ 
p r e
+ 
+				pre
+
+
+
Cell
Cell
Cell
CellCellCell
Cell
CellCellCell
+(try to compact or beautify) + +
Forms
+ +(note nesting of 'form', missing required attributes, etc.)
+
+ +
pl
+ h + +

+


+
B:C:

+(try each of these lines separately)
+
what
+what +(try with container as div and as form)
+c a b + +
HTML comments (also CDATA)
+ +Script inside:
+Special characters inside: , , , c
+Normal: , , comment:,
text not allowed

+Malformed: , < ![CDATA check ]]>, < ![CDATA check ] ]>
+Invalid: >comment in tag content, + +
HTML5
+ +figure and figcaption:
picture
Caption for the awesome picture
+article:

A

B

C

E

F

G

+meter:

Heat 150.

+datalist: + +
Ins-Del
+ +(depending on context, these elements can be of either block or inline type)
+

block


+

d


+

d

d

d
 + +
Lists
+ +Invalid character data:
  • (item
    • )

+Definition list:
a
bad
first one
b
second

+Definition list, close-tags omitted:
a
bad
first one
b
second

+Definition lists, nested:
+
T1
+
D1
+
T2
+
D2
t1
d1
t2
d2
+
T3
+
D3
+
T4
+
D4
t1
d1
+

+Definition lists, nested, close-tags omitted:
+
T1 +
D1
+
T2
+
D2
t1
d1
t2
d2
+
T3 +
D3 +
T4 +
D4
t1
d1
+

+Nested:
    +
  • l1
    • +
  • l2
    1. lo1
    2. lo2
    • +
  • l3
    • +
  • l4
    1. lo3
    2. lo4
      1. lo5
    • +

+Nested, directly:
    +
  • l1
    • +
      l2
    +
  • l3
    • +

+Nested, close-tags omitted:
    +
  • l1
    • +
  • l2
    1. lo1
    2. lo2
    +
  • l3 +
  • l4
    1. lo3
    2. lo4
      1. lo5
    +

+Complex: +
  1. +
    +
+Menu:
  • + +
    • +     + +
    Microdata
    + +
    +I am X but people call me Y. +Find me at +
    + +
    Microsoft Word
    + +Proprietary tag:

     


    +XML declaration:
    +XML-invalid character code-point (may not replicate):

    “Where is he?” asked both Mary – the one so lovely – and Jane.

    + +
    Nesting
    + +Block or inline a:

    text

    hi

    + +
    Non-English text-1
    + +Inscrieţi-vă acum la a Zecea Conferinţă Internaţională
    +გთხოვთ ახლავე გაიაროთ რეგისტრაცია
    +večjezično računalništvo
    +อ.อ่าง
    +Зарегистрируйтесь сейчас +на Десятую Международную Конференцию по
    +(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.) + +
    Non-English text-2: entities
    + +用统一码
    +გთხოვთ
    +Inscreva-se agora para a Décima Conferência Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de março de 1997 em Mainz +na Alemanha. + +
    Ruby
    + +(need compatible browser)
    + + + 斎 + 藤 + 信 + 男 + + + さい + とう + のぶ + お + + + W3C Associate Chairman + +
    + + WWW + (World Wide Web) +
    + + A + (aaa) + + + +
    Tables
    + +Omitted closing tags: ++ + +
    h1c1h1c2 +
    r1c1r1c2 +
    r2c1r2c2 +

    +Nested, omitted closing tags: ++ + +
    h1c1h1c2 +
    r1c1r1c2 ++ + +
    h1c1h1c2 +
    r1c1r1c2 +
    r2c1r2c2 +
    +
    r2c1r2c2 +

    + +
    Tag transformation
    +Font element with malicious code:


    +Font element intended as 'inline' element:

    hi


    +Font element intended as 'block' element:
    hi

    +Font element intended as 'block' element:
    hi
    QQQ

    + +
    Tidy
    +White-space handling: abc def ghi abc def ghi + +
    URLs
    + +Relative and absolute: , , , , , ,
    +(try base URL value of 'http://a.com/b/')
    +CSS URLs:
    ,
    ,
    ,
    ,

    +Double URLs: b
    +Anti-spam: (try regex for 'http://a.com', etc.) , , , , , , ,
    +Soft-hyphen: ídis­c + +
    XSS
    + +<img onmouseover=confirm(1)// +'';!--"=&{()}
    +
    +
    +
    +
    +test + +

    +

    +

    +
    +
    +

    +test
    +Bad IE7: x
    +Opera: link +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: xxx
    +Bad IE7: x
    +Bad IE7: x
    +Bad IE7: x
    +Bad IE7: x
    +Bad IE7: exp/*x
    +Bad IE7: hi
    +Bad IE7: hi
    +Bad IE7: test
    +Bad IE7: hi
    +Bad IE7: hi
    + +
    Other
    + +3 < 4
    +3 > 4
    + > 3
    +<._.> hi!
    +<<< ALERT >>>
    + some stuff
    +
    +
    +
    +if(13age){say 'teen'}
    +age >51 and a smoking history of >51 pack-years was
    +age > 51 and a smoking history of >51 pack-years was
    +age <51 and a smoking history of <51 pack-years was
    +age < 51 and a smoking history of < 51 pack-years was
    +age >51 and a smoking history of >51 pack-years
    +age > 51 and a smoking history of >51 pack-years
    +age <51 and a smoking history of <51 pack-years
    +age < 51 and a smoking history of < 51 pack-years
    diff --git a/web/modules/contrib/htmlawed/htmLawed/htmLawed.php b/web/modules/contrib/htmlawed/htmLawed/htmLawed.php index 7b05dd871..b384d9819 100755 --- a/web/modules/contrib/htmlawed/htmLawed/htmLawed.php +++ b/web/modules/contrib/htmlawed/htmLawed/htmLawed.php @@ -1,7 +1,7 @@
    -
    htmLawed_README.txt, 12 September 2017
    -htmLawed 1.2.4.1, 12 September 2017
    +
    htmLawed_README.txt, 24 September 2019
    +htmLawed 1.2.5, 24 September 2019
    Copyright Santosh Patnaik
    Dual licensed with LGPL 3 and GPL 2+
    A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed 
    @@ -1127,7 +1127,7 @@ A PHP Labware internal utility - span style="font-size: larger;"
      *  center - div style="text-align: center;"
      *  dir - ul
    -  *  font (face, size, color) -    span style="font-family: ; font-size: ; color: ;" (size transformation     reference)
    +  *  font (face, size, color) -    span style="font-family: ; font-size: ; color: ;" (size transformation reference)
      *  isindex - based on $config["make_tag_strict"], unchanged (1) or removed (2)
      *  s - span style="text-decoration: line-through;"
      *  strike - span style="text-decoration: line-through;"
    @@ -1153,7 +1153,7 @@ A PHP Labware internal utility -     <div style="text-align: center;">
    -     The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-family: arial; color: red; font-size: 200%;">htmLawedTest.php</span>, from <span style="color:green; text-decoration: underline;">PHP Labware</span>. +     The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <u style="color:green">PHP Labware</u>.
        </div> @@ -1670,7 +1670,7 @@ A PHP Labware internal utility -           if($element == 'object'){
    -        $new_element = '<param id='my_'. $id; allowscriptaccess="never" />'; +        $new_element = '<param id="my_'. $id. '"; allowscriptaccess="never" />';
            ++$id; @@ -1827,6 +1827,10 @@ A PHP Labware internal utility -     font tag transformation
    +
    +  1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in $config["schemes"]
    +
      1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4

      1.2.4 - 31 August 2017. Removes use of PHP create_function function and $php_errormsg reserved variable (deprecated in PHP 7.2)
    @@ -2278,7 +2282,7 @@ A PHP Labware internal utility -     HTM version of htmLawed_README.txt generated on 12 Sep, 2017 using rTxt2htm from PHP Labware +


    HTM version of htmLawed_README.txt generated on 25 Sep, 2019 using rTxt2htm from PHP Labware
    diff --git a/web/modules/contrib/htmlawed/htmlawed.info.yml b/web/modules/contrib/htmlawed/htmlawed.info.yml index e898bbfd6..bf0a26da0 100644 --- a/web/modules/contrib/htmlawed/htmlawed.info.yml +++ b/web/modules/contrib/htmlawed/htmlawed.info.yml @@ -2,10 +2,9 @@ name: htmLawed HTML filter/purifier description: Use htmLawed to restrict and correct HTML for compliance with admin. policy and standards and for security type: module package: filter -# core: 8.x +core: 8.x -# Information added by Drupal.org packaging script on 2018-07-05 -version: '8.x-3.5' -core: '8.x' +# Information added by Drupal.org packaging script on 2020-04-11 +version: '8.x-3.7' project: 'htmlawed' -datestamp: 1530751729 +datestamp: 1586586868 diff --git a/web/modules/contrib/htmlawed/readme.txt b/web/modules/contrib/htmlawed/readme.txt index 3415474ce..90015a886 100644 --- a/web/modules/contrib/htmlawed/readme.txt +++ b/web/modules/contrib/htmlawed/readme.txt @@ -1,55 +1,103 @@ -htmLawed Drupal 8 module +CONTENTS OF THIS FILE +--------------------- -By Santosh Patnaik -Since November 2015 -Dual licensed with LGPL 3+ and GPL 2+ + * Introduction + * Requirements + * Installation + * Configuration + * Maintainers -ABOUT -==================================== -The htmLawed module uses the htmLawed PHP library (www.bioinformatics.org/phplabware/internal_utilities/htmLawed) to restrict and purify HTML for compliance with admin. policy and standards and for security. +INTRODUCTION +------------ -The module's directory includes the htmLawed PHP library and htmLawed documentation in its 'htmLawed' sub-directory. The content of the sub-directory can be replaced with that for the latest htmLawed version from www.bioinformatics.org/phplabware/internal_utilities/htmLawed. +The htmLawed module uses the htmLawed PHP library to restrict and purify HTML +for compliance with site administrator policy and standards and for security. +Use of the htmLawed library allows for highly customizable control of HTML +markup. -If the htmLawed PHP library has been installed through the Libraries Drupal module, then the htmLawed module will use that library, and not the library in the htmLawed module's 'htmLawed' sub-directory. + * For a full description of the module, visit the project page: + https://www.drupal.org/project/htmlawed + or https://www.drupal.org/node/255886 -The Drupal website may have a handbook and other pages detailing htmLawed module usage (http://drupal.org/node/255886 and https://www.drupal.org/search/site/htmlawed?f[0]=ss_meta_type%3Adocumentation). - -INSTALLATION -==================================== - -Place the htmLawed module directory ('htmlawed') in an appropriate location within the Drupal installation directory, such as within its 'modules' directory. - -Then administer your Drupal website to enable the module. - -Note that if the htmLawed PHP library has been installed through the Libraries Drupal module, then the htmLawed module will use that library, and not the library in the htmLawed module's 'htmLawed' sub-directory. + * To submit bug reports and feature suggestions, or to track changes: + https://www.drupal.org/project/issues/htmlawed -USAGE -==================================== +REQUIREMENTS +------------ -To enable and/or configure the htmLawed filter, such as for a text format, visit the text formats section of your Drupal website and configure the text format that will use or uses the filter. +This module requires no modules outside of Drupal core. -More than one text format can use the filter, each configured with its own settings for the filter. The htmLawed filter is configured by providing values in the form for its settings. The 'Config.' form-field is filled with comma-separated, quoted, key-value pairs like: -'safe'=>1, 'element'=>'a, em, strong' +INSTALLATION +------------ -(These are interpreted as PHP array elements). + * Install the htmLawed module as you would normally install a contributed + Drupal module. Visit https://www.drupal.org/node/1897420 for further + information. -The 'Spec.' form-field is an optional string of unquoted text. See the htmLawed documentation for more on how 'Config.' and 'Spec.' can be set, for instance, to permit all HTML, or restrict links to only certain domains. The default htmLawed filter settings allow the use of the a, em, strong, cite, code, ol, ul, li, dl, dt, dd, br and p HTML tags, and deny the id and style HTML attributes, and any unsafe markup (such as the the scriptable onclick attribute). +Note: If the htmLawed PHP library has been installed through the Libraries +Drupal module, then the htmLawed module will use that library, and not the +library in the htmLawed module's 'htmLawed' sub-directory. -Content in the 'Short tip' and 'Long tip' form-fields are used to inform users about the filter, such as about the tags that are allowed. -To allow HTML comments such as the one used for the Drupal teaser-break indicator (), add "'comment' => 2" to the 'Config.' value of the htmLawed settings. To allow PHP codes (flanked by '') add "'save_php' => 1" to the 'Config.' value of the htmLawed settings. +CONFIGURATION +------------- -Depending on the types of other filters in use, you may need to re-arrange the processing order of filters. The htmLawed filter would usually be the last filter to be run. If a filter generates HTML markup and is run before htmLawed, then htmLawed should be configured appropriately to permit such markup. +To enable and/or configure the htmLawed filter, such as for a text format, visit +the text formats section of your Drupal website and configure the text format +that will use or uses the filter. -Any in-built Drupal actions/filters to restrict HTML, correct broken HTML, or balance or properly nest HTML tags can be disabled since htmLawed performs these tasks. The htmLawed filter can also be used to restrict HTML attributes, limit URL protocols, etc. Note that htmLawed does not convert URLs into links nor does it convert line breaks into HTML. +More than one text format can use the filter, each configured with its own +settings for the filter. The htmLawed filter is configured by providing values +in the form for its settings. The 'Config.' form-field is filled with +comma-separated, quoted, key-value pairs like: -It is important to understand the security implications of the htmLawed settings in use and the limitations of htmLawed. To keep the htmLawed library included with the module updated, replace the 'htmLawed.php' and 'htmLawed_README.htm' files inside the 'htmLawed' sub-directory of the htmLawed module directory ('htmlawed') with newer versions downloaded from the htmLawed website (www.bioinformatics.org/phplabware/internal_utilities/htmLawed). If the htmLawed library is being used through the Libraries Drupal module, use that module to update the library. +``` +'safe'=>1, 'element'=>'a, em, strong' +``` -HELP -==================================== +(These are interpreted as PHP array elements). -Visit the module's website at https://www.drupal.org/project/htmlawed. - \ No newline at end of file +The 'Spec.' form-field is an optional string of unquoted text. Visit the +htmLawed documentation for more on how 'Config.' and 'Spec.' can be set, for +instance, to permit all HTML, or restrict links to only certain domains. The +default htmLawed filter settings allow the use of the a, em, strong, cite, +code, ol, ul, li, dl, dt, dd, br and p HTML tags, and deny the id and style +HTML attributes, and any unsafe markup (such as the scriptable onclick +attribute). + +Content in the 'Short tip' and 'Long tip' form-fields are used to inform users +about the filter, such as about the tags that are allowed. + +To allow HTML comments such as the one used for the Drupal teaser-break +indicator (), add "'comment' => 2" to the 'Config.' value of the +htmLawed settings. To allow PHP codes (flanked by '') add +"'save_php' => 1" to the 'Config.' value of the htmLawed settings. + +Depending on the types of other filters in use, you may need to re-arrange the +processing order of filters. The htmLawed filter would usually be the last +filter to be run. If a filter generates HTML markup and is run before htmLawed, +then htmLawed should be configured appropriately to permit such markup. + +Any in-built Drupal actions/filters to restrict HTML, correct broken HTML, or +balance or properly nest HTML tags can be disabled since htmLawed performs +these tasks. The htmLawed filter can also be used to restrict HTML attributes, +limit URL protocols, etc. Note that htmLawed does not convert URLs into links +nor does it convert line breaks into HTML. + +It is important to understand the security implications of the htmLawed settings +in use and the limitations of htmLawed. To keep the htmLawed library included +with the module updated, replace the 'htmLawed.php' and 'htmLawed_README.htm' +files inside the 'htmLawed' sub-directory of the htmLawed module directory +('htmlawed') with newer versions downloaded from the htmLawed website +(www.bioinformatics.org/phplabware/internal_utilities/htmLawed). If the htmLawed +library is being used through the Libraries Drupal module, use that module to +update the library. + + +MAINTAINERS +----------- + + * alpha2zee - https://www.drupal.org/u/alpha2zee diff --git a/web/modules/contrib/htmlawed/src/Plugin/Filter/Filterhtmlawed.php b/web/modules/contrib/htmlawed/src/Plugin/Filter/Filterhtmlawed.php index 6585918ae..3a35b72e4 100644 --- a/web/modules/contrib/htmlawed/src/Plugin/Filter/Filterhtmlawed.php +++ b/web/modules/contrib/htmlawed/src/Plugin/Filter/Filterhtmlawed.php @@ -12,6 +12,7 @@ use Drupal\Core\Form\FormStateInterface; use Drupal\Core\Url; use Drupal\filter\FilterProcessResult; use Drupal\filter\Plugin\FilterBase; +use Drupal\Core\StringTranslation\StringTranslationTrait; /** * Provides for use of htmLawed @@ -36,11 +37,13 @@ use Drupal\filter\Plugin\FilterBase; class Filterhtmlawed extends FilterBase { + use StringTranslationTrait; + /** * {@inheritdoc} */ public function process($text, $langcode) { - + // Use htmLawed filter settings for the $config and $spec arguments to htmLawed(); // use default values if needed. $htmLawed_settings = $this->settings; @@ -51,13 +54,13 @@ class Filterhtmlawed extends FilterBase { if (!is_array($config)) { $config = array('safe'=>1, 'elements'=>'a, em, strong, cite, code, ol, ul, li, dl, dt, dd, br, p', 'deny_attribute'=>'id, style'); } - + // If PHP code blocks are to be preserved, hide the special characters // like '<' of '|<\?php(.*?)$`sm', function($m){return "\x83?php". str_replace(array('<', '>', '&'), array('<', '>', '&'), $m[1]). (substr($m[0], -2) == '?>' ? "?\84" : '');}, $text); } - + // If Libraries module (API 3.x) is enabled, use htmLawed library through it; // else use the htmLawed library provided with the htmLawed module. $module_path = drupal_get_path('module', 'htmlawed'); @@ -71,16 +74,16 @@ class Filterhtmlawed extends FilterBase { // htmLawed filtering. $text = htmLawed($text, $config, $htmLawed_settings['spec']); - + // In case Drupal's teaser-break is in use; // since htmLawed corrects HTML comments to use the right format. $text = str_replace('', '', $text); - + // Handle any PHP code preservation. if (!empty($config['save_php'])) { $text = preg_replace_callback('`\x83\?php(.+?)\?\x84|\x83\?php(.*?)$`sm', function($m){return "'), $m[1]). (substr($m[0], -2) == "?\x84" ? "?>" : '');}, $text); } - + // Return value. $result = new FilterProcessResult($text); return $result; @@ -92,7 +95,7 @@ class Filterhtmlawed extends FilterBase { public function settingsForm(array $form, FormStateInterface $form_state) { $htmLawed_settings = $this->settings; $form['config'] = array( - '#prefix' => t('Help', array(':url' => Url::fromUri('base:admin/help/htmlawed')->toString())), + '#prefix' => $this->t('Help', array(':url' => Url::fromUri('base:admin/help/htmlawed')->toString())), '#type' => 'textarea', '#rows' => '2', '#title' => $this->t('Config.'), @@ -125,11 +128,11 @@ class Filterhtmlawed extends FilterBase { /** * {@inheritdoc} - */ + */ public function tips($long = FALSE) { $htmLawed_settings = $this->settings; $help = !$long ? Html::escape($htmLawed_settings['help']) : Html::escape($htmLawed_settings['helplong']); - $help = !empty($help) ? $help : (!$long ? t('HTML markup is restricted/corrected with the htmLawed filter.') : t('HTML markup is restricted/corrected with the @htmLawed filter for compliance with admin. policy and standards and for security. More details about the restrictions in effect may be available elsewhere, such as in the text of the filter-tips of text formats that use htmLawed and on the forms for configuring text formats.', array('@htmLawed' => \Drupal::l('htmLawed', Url::fromUri('http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed')))) . (!\Drupal::currentUser()->hasPermission('administer filters') ? '' : t(' For information on configuring the htmLawed filter, visit the htmLawed module @help section.', array('@help' => \Drupal::l(t('help'), Url::fromUri('base:admin/help/htmlawed')))))); + $help = !empty($help) ? $help : (!$long ? $this->t('HTML markup is restricted/corrected with the htmLawed filter.') : $this->t('HTML markup is restricted/corrected with the @htmLawed filter for compliance with admin. policy and standards and for security. More details about the restrictions in effect may be available elsewhere, such as in the text of the filter-tips of text formats that use htmLawed and on the forms for configuring text formats.', array('@htmLawed' => \Drupal::l('htmLawed', Url::fromUri('http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed')))) . (!\Drupal::currentUser()->hasPermission('administer filters') ? '' : $this->t(' For information on configuring the htmLawed filter, visit the htmLawed module @help section.', array('@help' => \Drupal::l($this->t('help'), Url::fromUri('base:admin/help/htmlawed')))))); return $help; } } diff --git a/web/modules/contrib/security_review/API.txt b/web/modules/contrib/security_review/API.txt deleted file mode 100644 index 627e264e8..000000000 --- a/web/modules/contrib/security_review/API.txt +++ /dev/null @@ -1,198 +0,0 @@ -For the latest documentation and code examples go to: -https://www.drupal.org/node/2508415 - -# Security Review API - - * Defining a security check - * Identifiers - * Action and messages - * Help page - * Evaluation page (optional) - * Check-specific settings (optional) - * Form generation - * Configuration schema - * Hooks - * Alterable variables - * Drush usage - -## Defining a security check - - This part of the documentation lets the developer understand the behavior of - the module. If anything's unclear it is recommended to look at the examples. - - To define a security check for Security Review, one has to create a class that - extends Drupal\security_review\Check. - The functions that must be overridden are the following: - * getNamespace() - * getTitle() - * run() - * help() - * getMessage() - - ### Identifiers - - There are 5 kinds of identifiers for a given check: - * namespace - * machine namespace - * title - * machine title - * id - - The 'namespace' must be manually set for each check by overriding the - getNamespace() method. This is the human-readable namespace of the check - (usually the module's name). - - The 'machine namespace' is the version of namespace that is used internally. - If getMachineNamespace() isn't overridden, then it is produced from the - human-readable namespace by removing any non-alphanumeric characters and - replacing spaces with underscores. When overriding getMachineNamespace() - this rule must be followed. - - The 'title' must be manually set for each check by overriding the getTitle() - method. This is the human-readable title of the check. - - The 'machine title' has the same relationship to 'title' as 'machine - namespace' has to 'namespace'. The machine title should be unique to the - namespace. This might only be achievable by overriding getMachineTitle(). - - The 'id' is only used internally and cannot be overridden. It's constructed - by taking the 'machine namespace' and 'machine title' and putting a hyphen - between them. - - ### Action and messages - - The part where the actual security check happens is the run() method. This - method must be overridden, and should always return an instance of - Drupal\security_review\CheckResult. - - Instantiating a CheckResult: - - CheckResult defines one constructor: - (Check $check, $result, array $findings, $visible = TRUE, $time = NULL) - * $check - The Check that is responsible for the result - * $result - An integer that defines the outcome of the check: - * CheckResult::SUCCESS - for a successful check - * CheckResult::FAIL - for a failed check - * CheckResult::WARN - for a check that only raised a warning - * CheckResult::INFO - general result for providing information - * $findings - An array of findings that can be evaluated. It can be empty. - * $visible - Check results can be hidden from the user by setting $visible to FALSE. - * $time - Timestamp indicating the time when the result was produced. If left null - it will be the current time. - - NOTE: - It's easier to instantiate a result with Check's createResult() method. It - has the same parameters as the constructor for CheckResult, except the - $check is left out (set to $this). - - Human-readable messages for each result integer: - - Must be defined by overriding the getMessage() method. The implementation is - usually a switch-case. For more details take a look at Security Review's own - Check implementations. - - ### Help page - - Every Check can have its own help page by overriding the help() method. This - should return a render array. - See https://www.drupal.org/developing/api/8/render/arrays - - ### Evaluation page (optional) - - The evaluation page is for providing an evaluation of a CheckResult produced - by the Check. Overriding this is optional, the default implementation - returns an empty array. If one chooses to override evaluate(), the function - must return a render array. - See https://www.drupal.org/developing/api/8/render/arrays - - ### Check-specific settings (optional) - - If the Check requires storage for settings, it can be accessed via - $this->settings(). This method returns a - Drupal\security_review\CheckSettingsInterface. It has get() and set() - methods for accessing the stored configuration, and buildForm(), - submitForm(), validateForm() for form building. By default Check's - implementation contains a Drupal\security_review\CheckSettings, which stores - the values in the Configuration system, and does nothing in its form - building methods. Usually it's enough to extend this class if the Check - needs separate settings on the Security Review settings page. - - When using check-specific settings it's recommended to define a - configuration schema to store the values in their correct types. The schema - to declare is called security_review.check_settings.[id of check] . - -## Hooks - - ### hook_security_review_checks() - - To let Security Review know of the checks defined in the module it has to - implement hook_security_review_checks(). This hook is fairly simple. It has - to return an array of check instances. - - For example implementations see security_review.api.php and - security_review.module and the examples. - - ### hook_security_review_log() - - Provides logging functions for various events: - Check skipped / enabled - Check ran - Check gave a NULL result - - For example implementations see security_review.api.php and - security_review.module. - -## Alterable variables - - To understand what alterable variables are, take a look at - https://api.drupal.org/api/drupal/core!lib!Drupal!Core!Extension!ModuleHandler.php/function/ModuleHandler%3A%3Aalter/8 - To modify an alterable variable you have to implement hook_[TYPE]_alter. - An example: - - - - ### security_review_unsafe_tags - - The list of HTML tags considered to be unsafe. - See https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet . - - Default variable content is at Security::unsafeTags(). - - ### security_review_unsafe_extensions - - The list of file extensions considered to be unsafe for upload. Untrusted - users should not be allowed to upload files of these extensions. - - Default variable content is at Security::unsafeExtensions(). - - ### security_review_file_ignore - - The list of relative and absolute paths to ignore when running the File - permissions check. - - Default variable content is at FilePermissions::run(). - - ### security_review_temporary_files - - The list of files to check for the Temporary files security check. - - Default variable definition is at TemporaryFiles::run(). - -## Drush usage - - Run the checklist via Drush with the "drush security-review" command. - Consult the Drush help on the security-review command for more information. diff --git a/web/modules/contrib/security_review/IGNOREME.txt b/web/modules/contrib/security_review/IGNOREME.txt deleted file mode 100644 index 72e8e132b..000000000 --- a/web/modules/contrib/security_review/IGNOREME.txt +++ /dev/null @@ -1,5 +0,0 @@ -You should read the README.txt but can ignore this file. It is used as part of -the test to see if files are writable on your site. If you see timestamps below -this line those are security runs which were able to write to this file. -++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -20160608114206 - Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps. diff --git a/web/modules/contrib/security_review/PATCHES.txt b/web/modules/contrib/security_review/PATCHES.txt deleted file mode 100644 index 3294fe193..000000000 --- a/web/modules/contrib/security_review/PATCHES.txt +++ /dev/null @@ -1,7 +0,0 @@ -This file was automatically generated by Composer Patches (https://github.com/cweagans/composer-patches) -Patches applied to this directory: - -Fix missing field review list -Source: https://www.drupal.org/files/issues/security_review-dangerous-tags-list-2744805-2.patch - - diff --git a/web/modules/contrib/security_review/README.txt b/web/modules/contrib/security_review/README.txt deleted file mode 100644 index 03e730428..000000000 --- a/web/modules/contrib/security_review/README.txt +++ /dev/null @@ -1,91 +0,0 @@ - --- ABOUT -- - -Security Review automates checking many of the configuration errors that lead -to an insecure Drupal site and looks for existing vulnerabilities and attack -attempts. - -The primary goal of the module is to elevate your awareness of the importance of -securing your Drupal site. The results of some checks may be incorrect depending -on unique factors, this module does not make your site more secure. You should -use the results of the checklist and its resources to manually secure your site. - -Refer to the support section below if you are interested in securing your Drupal -site. - --- INSTALLATION -- - -Place the security_review directory and its contents under /modules or a -subdirectory of /modules in the Drupal root directory. - -Enable the module at Administer >> Modules and refer to the -following sections for configuration and usage. - --- CONFIGURATION -- - -Two permissions are provided and required to use the module. Navigate to -Administer >> People >> Permissions to enable -'access security review list' and 'run security checks' for trusted roles. - -NOTICE: This module provides information on the state of your site's security so -it is imperative you grant these permissions to trusted roles and users only. -For instance, if you have an admin role, be sure that all the users who have -been granted this role are indeed users you trust if you grant them these -permissions. - -After you have granted permissions to the module you should inform the system -what roles are not trusted. Navigate to -Administer >> Reports >> Security Review >> Settings to mark which roles are -untrusted. Most checks only care if the resource is usable by -untrusted roles. - -On this page you can also define the level of logging. The result -of the last checklist is always stored but you can enable watchdog logging of -each check if you like. - --- USAGE -- - -Navigate to Administer >> Reports >> Security Review to run the checklist. - -If a check is enabled it will be run. You can enable or skip a check on this -page only after it has been run. Clicking on the 'Help' link beside each check -will provide details on why the check exists and what was found on the last run. - --- DRUSH USAGE -- - -Running the Security Review checklist using Drush is a great way to build -automated security audits of your site into your site development lifecycle and -as part of continuous integration. - -With the module installed invoke 'drush secrev' from within your Drupal root. - -Call 'drush help secrev' to see available options. - -For running specific checks pass the '--check' option. Be sure to remove any -whitespace characters separating check names. - -Consult implementations of hook_security_checks() for exact list of available -check options. Standard Security Review checks are: - -file_perms, input_formats, field, error_reporting, private_files, query_errors, -failed_logins, upload_extensions, admin_permissions, executable_php, -trusted_hosts, temporary_files - -For custom checks you may prefix the check name with the module name and -colon (:) character. For example: - -'drush secrev --check=my_module:my_check' - -Note, custom checks require that its module be enabled. Also, should you be -skipping any check the 'store' option will not allow that check to be run. - --- SUPPORT -- - -Please use the issue queue at http://drupal.org/project/security_review for all -module support. You can read more about securely configuring your site at -http://drupal.org/security/secure-configuration and http://drupalscout.com - --- CREDIT -- - -Security Review module originally written by Benjamin Jeavons, drupal.org user -coltrane. Ported to Drupal 8 by Viktor Bán. diff --git a/web/modules/contrib/security_review/config/install/security_review.check.security_review-base_url_set.yml b/web/modules/contrib/security_review/config/install/security_review.check.security_review-base_url_set.yml deleted file mode 100644 index 070f10a32..000000000 --- a/web/modules/contrib/security_review/config/install/security_review.check.security_review-base_url_set.yml +++ /dev/null @@ -1,3 +0,0 @@ -id: 'security_review-base_url_set' -settings: - method: 'token' diff --git a/web/modules/contrib/security_review/config/install/security_review.settings.yml b/web/modules/contrib/security_review/config/install/security_review.settings.yml deleted file mode 100644 index fe575a59c..000000000 --- a/web/modules/contrib/security_review/config/install/security_review.settings.yml +++ /dev/null @@ -1,3 +0,0 @@ -configured: false -untrusted_roles: [] -log: true diff --git a/web/modules/contrib/security_review/config/schema/security_review.schema.yml b/web/modules/contrib/security_review/config/schema/security_review.schema.yml deleted file mode 100644 index 3d30179b7..000000000 --- a/web/modules/contrib/security_review/config/schema/security_review.schema.yml +++ /dev/null @@ -1,45 +0,0 @@ -# The module's main settings. -security_review.settings: - type: config_entity - mapping: - configured: - type: boolean - label: 'Has been configured' - untrusted_roles: - type: sequence - label: 'Untrusted roles' - sequence: - type: string - label: 'Role ID' - log: - type: boolean - label: 'Logging enabled' - -# Defines a security check's skip informations and settings. -security_review.check.*: - type: config_entity - mapping: - id: - type: string - label: 'Check ID' - skipped: - type: boolean - label: 'Is skipped' - skipped_by: - type: integer - label: 'Skipped by' - skipped_on: - type: integer - label: 'Skipped on' - settings: - # Checks that need storage for settings are advised to define their settings schema. - # This way type-strict per-check settings storage can be created. - type: security_review.check_settings.[%parent.id] - -# Setting storage for Base URL check. -security_review.check_settings.security_review-base_url_set: - type: mapping - mapping: - method: - type: string - label: 'Base URL identification method' diff --git a/web/modules/contrib/security_review/css/security_review.run_and_review.css b/web/modules/contrib/security_review/css/security_review.run_and_review.css deleted file mode 100644 index 56ed396c1..000000000 --- a/web/modules/contrib/security_review/css/security_review.run_and_review.css +++ /dev/null @@ -1,42 +0,0 @@ -.security-review-run-and-review__table { - border: none; -} - -.security-review-run-and-review__entry { - border-width: 1px 0 0 0; - border-style: solid; - border-color: #ccc; -} - -.security-review-run-and-review__entry-icon { - width: 16px; -} - -.security-review-run-and-review__entry:last-child { - border-bottom-width: 1px; -} - -.security-review-run-and-review__entry.skipped { - color: #333333 !important; - background-color: #dddddd !important; -} - -.security-review-run-and-review__entry.success { - color: #255b1e; - background-color: #e5ffe2; -} - -.security-review-run-and-review__entry.fail { - color: #8c2e0b; - background-color: #fef5f1; -} - -.security-review-run-and-review__entry.warning { - color: #734c00; - background-color: #fdf8ed; -} - -.security-review-run-and-review__entry.info { - color: #000e6f; - background-color: #dfefff; -} diff --git a/web/modules/contrib/security_review/js/security_review.run_and_review.js b/web/modules/contrib/security_review/js/security_review.run_and_review.js deleted file mode 100644 index f249e415b..000000000 --- a/web/modules/contrib/security_review/js/security_review.run_and_review.js +++ /dev/null @@ -1,28 +0,0 @@ -/** - * @file - * Implementation of check toggling using AJAX. - */ - -(function ($) { - Drupal.behaviors.securityReview = { - attach: function (context) { - $(context).find('.security-review-toggle-link a').click(function () { - var link = $(this); - var url = link.attr('href'); - var td = link.parent(); - var tr = td.parent(); - $.getJSON(url + '&js=1', function (data) { - if (data.skipped) { - tr.addClass('skipped'); - } - else { - tr.removeClass('skipped'); - } - link.text(data.toggle_text); - link.attr(data.toggle_href); - }); - return false; - }); - } - }; -})(jQuery); diff --git a/web/modules/contrib/security_review/security_review.api.php b/web/modules/contrib/security_review/security_review.api.php deleted file mode 100644 index 157689dd2..000000000 --- a/web/modules/contrib/security_review/security_review.api.php +++ /dev/null @@ -1,48 +0,0 @@ -getNamespace() == "My Module") { - // Do something with the information. - } -} diff --git a/web/modules/contrib/security_review/security_review.drush.inc b/web/modules/contrib/security_review/security_review.drush.inc deleted file mode 100644 index 693188708..000000000 --- a/web/modules/contrib/security_review/security_review.drush.inc +++ /dev/null @@ -1,251 +0,0 @@ - ['secrev'], - 'callback' => 'security_review_drush', - 'description' => "Run the Security Review checklist", - 'options' => [ - 'store' => 'Write results to the database', - 'log' => 'Log results of each check to watchdog, defaults to off', - 'lastrun' => 'Do not run the checklist, just print last results', - 'check' => 'Comma-separated list of specified checks to run. See README.txt for list of options', - 'skip' => 'Comma-separated list of specified checks not to run. This takes precedence over --check.', - 'short' => "Short result messages instead of full description (e.g. 'Text formats')", - 'results' => 'Show the incorrect settings for failed checks', - ], - 'examples' => [ - 'secrev' => 'Run the checklist and output the results', - 'secrev --store' => 'Run the checklist, store, and output the results', - 'secrev --lastrun' => 'Output the stored results from the last run of the checklist', - ], - 'bootstrap' => DRUSH_BOOTSTRAP_DRUPAL_FULL, - 'outputformat' => [ - 'default' => 'table', - 'pipe-format' => 'csv', - 'fields-default' => ['message', 'status'], - 'field-labels' => [ - 'message' => 'Message', - 'status' => 'Status', - 'findings' => 'Findings', - ], - 'output-data-type' => 'format-table', - ], - ]; - - return $items; -} - -/** - * Implements hook_drush_help(). - */ -function security_review_drush_help($section) { - switch ($section) { - case 'drush:security-review': - return dt("Run configuration security checks on your Drupal site."); - } -} - -/** - * Runs a checklist and displays results. - */ -function security_review_drush() { - /** @var \Drupal\security_review\SecurityReview $security_review */ - $security_review = Drupal::service('security_review'); - - /** @var \Drupal\security_review\Checklist $checklist */ - $checklist = Drupal::service('security_review.checklist'); - - $store = drush_get_option('store'); - $log = drush_get_option('log'); - $last_run = drush_get_option('lastrun'); - $run_checks = drush_get_option_list('check'); - $skip_checks = drush_get_option_list('skip'); - $short_titles = drush_get_option('short'); - $show_findings = drush_get_option('results'); - - // Set temporary logging. - $log = in_array($log, [TRUE, 1, 'TRUE']); - $security_review->setLogging($log, TRUE); - - if (!empty($short_titles)) { - $short_titles = TRUE; - } - else { - $short_titles = FALSE; - } - - $results = []; - if (!$last_run) { - // Do a normal security review run. - /** @var \Drupal\security_review\Check[] $checks */ - $checks = []; - /** @var \Drupal\security_review\Check[] $to_skip */ - $to_skip = []; - - // Fill the $checks array. - if (!empty($run_checks)) { - // Get explicitly specified checks. - foreach ($run_checks as $check) { - $checks[] = _security_review_drush_get_check($check); - } - } - else { - // Get the whole checklist. - $checks = $checklist->getChecks(); - } - - // Mark checks listed after --skip for removal. - if (!empty($skip_checks)) { - foreach ($skip_checks as $skip_check) { - $to_skip[] = _security_review_drush_get_check($skip_check); - } - } - - // If storing, mark skipped checks for removal. - if ($store) { - foreach ($checks as $check) { - if ($check->isSkipped()) { - $to_skip[] = $check; - } - } - } - - // Remove the skipped checks from $checks. - foreach ($to_skip as $skip_check) { - foreach ($checks as $key => $check) { - if ($check->id() == $skip_check->id()) { - unset($checks[$key]); - } - } - } - - // If $checks is empty at this point, return with an error. - if (empty($checks)) { - return drush_set_error('EMPTY_CHECKLIST', dt("No checks to run. Run 'drush help secrev' for option use or consult the drush section of API.txt for further help.")); - } - - // Run the checks. - $results = $checklist->runChecks($checks, TRUE); - - // Store the results. - if ($store) { - $checklist->storeResults($results); - } - } - else { - // Show the latest stored results. - foreach ($checklist->getChecks() as $check) { - $last_result = $check->lastResult($show_findings); - if ($last_result instanceof CheckResult) { - $results[] = $last_result; - } - } - } - - return _security_review_drush_format_results($results, $short_titles, $show_findings); -} - -/** - * Helper function for parsing input check name strings. - * - * @param string $check_name - * The check to get. - * - * @return \Drupal\security_review\Check|null - * The found Check. - */ -function _security_review_drush_get_check($check_name) { - /** @var \Drupal\security_review\Checklist $checklist */ - $checklist = Drupal::service('security_review.checklist'); - - // Default namespace is Security Review. - $namespace = 'security_review'; - $title = $check_name; - - // Set namespace and title if explicitly defined. - if (strpos($check_name, ':') !== FALSE) { - list($namespace, $title) = explode(':', $check_name); - } - - // Return the found check if any. - return $checklist->getCheck($namespace, $title); -} - -/** - * Helper function to compile Security Review results. - * - * @param \Drupal\security_review\CheckResult[] $results - * An array of CheckResults. - * @param bool $short_titles - * Whether to use short message (check title) or full check success or failure - * message. - * @param bool $show_findings - * Whether to print failed check results. - * - * @return array - * The results of the security review checks. - */ -function _security_review_drush_format_results(array $results, $short_titles = FALSE, $show_findings = FALSE) { - $output = []; - - foreach ($results as $result) { - if ($result instanceof CheckResult) { - if (!$result->isVisible()) { - // Continue with the next check. - continue; - } - - $check = $result->check(); - $message = $short_titles ? $check->getTitle() : $result->resultMessage(); - $status = 'notice'; - - // Set log level according to check result. - switch ($result->result()) { - case CheckResult::SUCCESS: - $status = 'success'; - break; - - case CheckResult::FAIL: - $status = 'failed'; - break; - - case CheckResult::WARN: - $status = 'warning'; - break; - - case CheckResult::INFO: - $status = 'info'; - break; - } - - // Attach findings. - if ($show_findings) { - $findings = trim($result->check()->evaluatePlain($result)); - if ($findings != '') { - $message .= "\n" . $findings; - } - } - - $output[$check->id()] = [ - 'message' => (string) $message, - 'status' => $status, - 'findings' => $result->findings(), - ]; - } - } - - return $output; -} diff --git a/web/modules/contrib/security_review/security_review.info.yml b/web/modules/contrib/security_review/security_review.info.yml deleted file mode 100644 index 5c810f828..000000000 --- a/web/modules/contrib/security_review/security_review.info.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: Security Review -type: module -description: 'Site security and configuration review module.' -package: Security -core: 8.x -configure: security_review.settings diff --git a/web/modules/contrib/security_review/security_review.install b/web/modules/contrib/security_review/security_review.install deleted file mode 100644 index 999114962..000000000 --- a/web/modules/contrib/security_review/security_review.install +++ /dev/null @@ -1,80 +0,0 @@ -admin/people/permissions. Be sure to grant permissions to trusted users only as this module can show sensitive site information.', - [':url' => Url::fromRoute('user.admin_permissions')->toString()] - ) - ); -} - -/** - * Implements hook_requirements(). - */ -function security_review_requirements($phase) { - $requirements = []; - - // Provides a Status Report entry. - if ($phase == 'runtime') { - /** @var \Drupal\security_review\Checklist $checklist */ - $checklist = Drupal::service('security_review.checklist'); - - $failed_checks = FALSE; - $no_results = TRUE; - - // Looks for failed checks. - foreach ($checklist->getEnabledChecks() as $check) { - $result = $check->lastResult(); - if ($result instanceof CheckResult) { - $no_results = FALSE; - if ($result->result() === CheckResult::FAIL) { - $failed_checks = TRUE; - break; - } - } - } - - $module_url = Url::fromRoute('security_review')->toString(); - if ($no_results) { - $severity = REQUIREMENT_WARNING; - $value = t( - 'The Security Review checklist has not been run. Run the checklist', - [':url' => $module_url] - ); - } - elseif ($failed_checks) { - $severity = REQUIREMENT_WARNING; - $value = t( - 'There are failed Security Review checks. Review the checklist', - [':url' => $module_url] - ); - } - else { - $severity = REQUIREMENT_OK; - $value = t( - 'Passing all non-ignored Security Review checks. Review the checklist', - [':url' => $module_url] - ); - } - $requirements['security_review'] = [ - 'title' => t('Security Review'), - 'severity' => $severity, - 'value' => $value, - ]; - } - - return $requirements; -} diff --git a/web/modules/contrib/security_review/security_review.libraries.yml b/web/modules/contrib/security_review/security_review.libraries.yml deleted file mode 100644 index 0eccdf974..000000000 --- a/web/modules/contrib/security_review/security_review.libraries.yml +++ /dev/null @@ -1,10 +0,0 @@ -run_and_review: - version: VERSION - css: - theme: - css/security_review.run_and_review.css: {} - js: - js/security_review.run_and_review.js: {} - dependencies: - - core/jquery - - core/drupal diff --git a/web/modules/contrib/security_review/security_review.links.menu.yml b/web/modules/contrib/security_review/security_review.links.menu.yml deleted file mode 100644 index 89ec97a7e..000000000 --- a/web/modules/contrib/security_review/security_review.links.menu.yml +++ /dev/null @@ -1,11 +0,0 @@ -security_review: - route_name: security_review - title: 'Security review' - description: 'Perform a review of the security of your site.' - parent: system.admin_reports - -security_review.settings: - route_name: security_review.settings - title: 'Security Review' - description: 'Choose which roles are untrusted, set logging, skip or enable security checks and modify check-specific settings.' - parent: system.admin_config_system diff --git a/web/modules/contrib/security_review/security_review.links.task.yml b/web/modules/contrib/security_review/security_review.links.task.yml deleted file mode 100644 index 64278e8d0..000000000 --- a/web/modules/contrib/security_review/security_review.links.task.yml +++ /dev/null @@ -1,16 +0,0 @@ -security_review: - route_name: security_review - title: 'Run & review' - base_route: security_review - -security_review.help: - route_name: security_review.help - title: 'Help' - weight: 10 - base_route: security_review - -security_review.settings: - route_name: security_review.settings - title: 'Settings' - weight: 15 - base_route: security_review diff --git a/web/modules/contrib/security_review/security_review.module b/web/modules/contrib/security_review/security_review.module deleted file mode 100644 index 508f62534..000000000 --- a/web/modules/contrib/security_review/security_review.module +++ /dev/null @@ -1,229 +0,0 @@ -log($level, $message, $context); -} - -/** - * Implements hook_modules_uninstalled(). - */ -function security_review_modules_uninstalled($modules) { - /** @var \Drupal\security_review\SecurityReview $security_review */ - $security_review = Drupal::service('security_review'); - - // Clean orphaned checks. - $security_review->cleanStorage(); -} - -/** - * Implements hook_modules_installed(). - */ -function security_review_modules_installed($modules) { - // Post-install hook. - if (in_array('security_review', $modules)) { - - /** @var \Drupal\security_review\SecurityReview $security_review */ - $security_review = Drupal::service('security_review'); - - // Clean orphaned checks. - $security_review->cleanStorage(); - - // Store the web server's user. - $security_review->setServerData(); - } -} - -/** - * Implements hook_theme(). - */ -function security_review_theme($existing, $type, $theme, $path) { - return [ - 'check_evaluation' => [ - 'template' => 'check_evaluation', - 'variables' => [ - 'paragraphs' => [], - 'items' => [], - ], - ], - 'check_help' => [ - 'template' => 'check_help', - 'variables' => [ - 'title' => [], - 'paragraphs' => [], - ], - ], - 'general_help' => [ - 'template' => 'general_help', - 'variables' => [ - 'paragraphs' => [], - 'checks' => [], - ], - ], - 'run_and_review' => [ - 'template' => 'run_and_review', - 'variables' => [ - 'date' => [], - 'checks' => [], - ], - ], - ]; -} - -/** - * Preprocesses variables for template 'run_and_review'. - */ -function template_preprocess_run_and_review(&$variables) { - // Get icon list. - $icons_root = '/core/misc/icons/'; - $variables['icons'] = [ - 'success' => $icons_root . '73b355/check.svg', - 'warning' => $icons_root . 'e29700/warning.svg', - 'fail' => $icons_root . 'e32700/error.svg', - ]; - - // Generate full URLs. - foreach ($variables['icons'] as $icon => $path) { - $variables['icons'][$icon] = Url::fromUserInput($path)->setAbsolute() - ->toString(); - } - - // Format date. - $variables['date'] = \Drupal::service('date.formatter')->format($variables['date']); - - // Convert check result integers to strings. - foreach ($variables['checks'] as &$check) { - if (isset($check['result'])) { - switch ($check['result']) { - case CheckResult::SUCCESS: - $check['result'] = 'success'; - break; - - case CheckResult::FAIL: - $check['result'] = 'fail'; - break; - - case CheckResult::WARN: - $check['result'] = 'warning'; - break; - - case CheckResult::INFO: - $check['result'] = 'info'; - break; - } - } - } -} - -/** - * Implements hook_cron(). - */ -function security_review_cron() { - // Store the web server's user. - Drupal::service('security_review')->setServerData(); -} - -/** - * Batch operation: runs a single check. - * - * @param \Drupal\security_review\Check $check - * The check to run. - * @param array $context - * The Batch context. - */ -function _security_review_batch_run_op(Check $check, array &$context) { - // Inform the user about the progress. - $context['message'] = $check->getTitle(); - - // Run the check. - $results = Drupal::service('security_review.checklist') - ->runChecks([$check]); - - // Store the results. - $context['results'] = array_merge($context['results'], $results); -} - -/** - * Callback for finishing the batch job of running the checklist. - * - * @param bool $success - * Whether the batch job was successful. - * @param \Drupal\security_review\CheckResult[] $results - * The results of the batch job. - * @param array $operations - * The array of batch operations. - */ -function _security_review_batch_run_finished($success, array $results, array $operations) { - /** @var \Drupal\security_review\SecurityReview $security_review */ - $security_review = Drupal::service('security_review'); - - /** @var \Drupal\security_review\Checklist $checklist */ - $checklist = Drupal::service('security_review.checklist'); - - $security_review->setLastRun(time()); - if ($success) { - if (!empty($results)) { - $checklist->storeResults($results); - } - drupal_set_message(t('Review complete')); - } - else { - // Show error information. - $error_operation = reset($operations); - $message = t( - 'An error occurred while processing %error_operation with arguments: @arguments', - [ - '%error_operation' => $error_operation[0], - '@arguments' => print_r($error_operation[1], TRUE), - ] - ); - $security_review->log(NULL, $message, [], RfcLogLevel::ERROR); - drupal_set_message(t('The review did not store all results, please run again or check the logs for details.')); - } -} diff --git a/web/modules/contrib/security_review/security_review.permissions.yml b/web/modules/contrib/security_review/security_review.permissions.yml deleted file mode 100644 index 9b1ea80d1..000000000 --- a/web/modules/contrib/security_review/security_review.permissions.yml +++ /dev/null @@ -1,7 +0,0 @@ -access security review list: - title: 'Access security review pages' - description: 'View security review checks and output. Give only to trusted users.' - -run security checks: - title: 'Run security review checks' - description: 'Run the security review checks.' diff --git a/web/modules/contrib/security_review/security_review.routing.yml b/web/modules/contrib/security_review/security_review.routing.yml deleted file mode 100644 index e7433e0ec..000000000 --- a/web/modules/contrib/security_review/security_review.routing.yml +++ /dev/null @@ -1,29 +0,0 @@ -security_review: - path: 'admin/reports/security-review' - defaults: - _controller: '\Drupal\security_review\Controller\ChecklistController::index' - requirements: - _permission: 'access security review list' - -security_review.help: - path: 'admin/reports/security-review/help/{namespace}/{title}' - defaults: - _controller: '\Drupal\security_review\Controller\HelpController::index' - namespace: ~ - title: ~ - requirements: - _permission: 'access security review list' - -security_review.settings: - path: 'admin/config/security-review' - defaults: - _form: '\Drupal\security_review\Form\SettingsForm' - requirements: - _permission: 'access security review list' - -security_review.toggle: - path: 'admin/reports/security-review/toggle/{check_id}' - defaults: - _controller: '\Drupal\security_review\Controller\ToggleController::index' - requirements: - _permission: 'access security review list' diff --git a/web/modules/contrib/security_review/security_review.services.yml b/web/modules/contrib/security_review/security_review.services.yml deleted file mode 100644 index 43827d766..000000000 --- a/web/modules/contrib/security_review/security_review.services.yml +++ /dev/null @@ -1,12 +0,0 @@ -services: - security_review: - class: Drupal\security_review\SecurityReview - arguments: ['@config.factory', '@state', '@module_handler', '@current_user'] - - security_review.checklist: - class: Drupal\security_review\Checklist - arguments: ['@security_review', '@module_handler', '@current_user'] - - security_review.security: - class: Drupal\security_review\Security - arguments: ['@security_review', '@module_handler', '@config.factory', '@kernel'] diff --git a/web/modules/contrib/security_review/src/Check.php b/web/modules/contrib/security_review/src/Check.php deleted file mode 100644 index df18deb2d..000000000 --- a/web/modules/contrib/security_review/src/Check.php +++ /dev/null @@ -1,542 +0,0 @@ -container = \Drupal::getContainer(); - - $this->config = $this->configFactory() - ->getEditable('security_review.check.' . $this->id()); - $this->settings = new CheckSettings($this, $this->config); - $this->state = $this->container->get('state'); - $this->statePrefix = 'security_review.check.' . $this->id() . '.'; - - // Set check ID in config. - if ($this->config->get('id') != $this->id()) { - $this->config->set('id', $this->id()); - $this->config->save(); - } - } - - /** - * Returns the namespace of the check. - * - * Usually it's the same as the module's name. - * - * Naming rules (if overridden): - * - All characters should be lowerspace. - * - Use characters only from the english alphabet. - * - Don't use spaces (use "_" instead). - * - * @return string - * Machine namespace of the check. - */ - public function getMachineNamespace() { - $namespace = strtolower($this->getNamespace()); - $namespace = preg_replace("/[^a-z0-9 ]/", '', $namespace); - $namespace = str_replace(' ', '_', $namespace); - - return $namespace; - } - - /** - * Returns the namespace of the check. - * - * Usually it's the same as the module's name. - * - * @return string - * Human-readable namespace of the check. - */ - public abstract function getNamespace(); - - /** - * Returns the machine name of the check. - * - * Naming rules (if overridden): - * - All characters should be lowerspace. - * - Use characters only from the english alphabet. - * - Don't use spaces (use "_" instead). - * - * @return string - * ID of check. - */ - public function getMachineTitle() { - $title = strtolower($this->getTitle()); - $title = preg_replace("/[^a-z0-9 ]/", '', $title); - $title = str_replace(' ', '_', $title); - - return $title; - } - - /** - * Returns the human-readable title of the check. - * - * @return string - * Title of check. - */ - public abstract function getTitle(); - - /** - * Returns the identifier constructed using the namespace and title values. - * - * @return string - * Unique identifier of the check. - */ - public final function id() { - return $this->getMachineNamespace() . '-' . $this->getMachineTitle(); - } - - /** - * Returns whether the findings should be stored or reproduced when needed. - * - * The only case when this function should return false is if the check can - * generate a lot of findings (like the File permissions check for example). - * Turning this off for checks that don't generate findings at all or just a - * few of them actually means more overhead as the check has to be re-run - * in order to get its last result. - * - * @return bool - * Boolean indicating whether findings will be stored. - */ - public function storesFindings() { - return TRUE; - } - - /** - * Returns the check-specific settings' handler. - * - * @return \Drupal\security_review\CheckSettingsInterface - * The settings interface of the check. - */ - public function settings() { - return $this->settings; - } - - /** - * The actual procedure of carrying out the check. - * - * @return \Drupal\security_review\CheckResult - * The result of running the check. - */ - public abstract function run(); - - /** - * Same as run(), but used in CLI context such as Drush. - * - * @return \Drupal\security_review\CheckResult - * The result of running the check. - */ - public function runCli() { - return $this->run(); - } - - /** - * Returns the check-specific help page. - * - * @return array - * The render array of the check's help page. - */ - public abstract function help(); - - /** - * Returns the evaluation page of a result. - * - * Usually this is a list of the findings and an explanation. - * - * @param \Drupal\security_review\CheckResult $result - * The check result to evaluate. - * - * @return array - * The render array of the evaluation page. - */ - public function evaluate(CheckResult $result) { - return []; - } - - /** - * Evaluates a CheckResult and returns a plaintext output. - * - * @param \Drupal\security_review\CheckResult $result - * The check result to evaluate. - * - * @return string - * The evaluation string. - */ - public function evaluatePlain(CheckResult $result) { - return ''; - } - - /** - * Converts a result integer to a human-readable result message. - * - * @param int $result_const - * The result integer. - * - * @return string - * The human-readable result message. - */ - public abstract function getMessage($result_const); - - /** - * Returns the last stored result of the check. - * - * Returns null if no results have been stored yet. - * - * @param bool $get_findings - * Whether to get the findings too. - * - * @return \Drupal\security_review\CheckResult|null - * The last stored result (or null). - */ - public function lastResult($get_findings = FALSE) { - // Get stored data from State system. - $state_prefix = $this->statePrefix . 'last_result.'; - $result = $this->state->get($state_prefix . 'result'); - if ($get_findings) { - $findings = $this->state->get($state_prefix . 'findings'); - } - else { - $findings = []; - } - $time = $this->state->get($state_prefix . 'time'); - // Force boolean value. - $visible = $this->state->get($state_prefix . 'visible') == TRUE; - - // Check validity of stored data. - $valid_result = is_int($result) - && $result >= CheckResult::SUCCESS - && $result <= CheckResult::INFO; - $valid_findings = is_array($findings); - $valid_time = is_int($time) && $time > 0; - - // If invalid, return NULL. - if (!$valid_result || !$valid_findings || !$valid_time) { - return NULL; - } - - // Construct the CheckResult. - $last_result = new CheckResult($this, $result, $findings, $visible, $time); - - // Do a check run for acquiring findings if required. - if ($get_findings && !$this->storesFindings()) { - // Run the check to get the findings. - $fresh_result = $this->run(); - - // If it malfunctioned return the last known good result. - if (!($fresh_result instanceof CheckResult)) { - return $last_result; - } - - if ($fresh_result->result() != $last_result->result()) { - // If the result is not the same store the new result and return it. - $this->storeResult($fresh_result); - $this->securityReview()->logCheckResult($fresh_result); - return $fresh_result; - } - else { - // Else return the old result with the fresh one's findings. - return CheckResult::combine($last_result, $fresh_result); - } - } - - return $last_result; - } - - /** - * Returns the timestamp the check was last run. - * - * Returns 0 if it has not been run yet. - * - * @return int - * The timestamp of the last stored result. - */ - public function lastRun() { - $last_result_time = $this->state - ->get($this->statePrefix . 'last_result.time'); - - if (!is_int($last_result_time)) { - return 0; - } - return $last_result_time; - } - - /** - * Returns whether the check is skipped. Checks are not skipped by default. - * - * @return bool - * Boolean indicating whether the check is skipped. - */ - public function isSkipped() { - $is_skipped = $this->config->get('skipped'); - - if (!is_bool($is_skipped)) { - return FALSE; - } - return $is_skipped; - } - - /** - * Returns the user the check was skipped by. - * - * Returns null if it hasn't been skipped yet or the user that skipped the - * check is not valid anymore. - * - * @return \Drupal\user\Entity\User|null - * The user the check was last skipped by (or null). - */ - public function skippedBy() { - $skipped_by = $this->config->get('skipped_by'); - - if (!is_int($skipped_by)) { - return NULL; - } - return User::load($skipped_by); - } - - /** - * Returns the timestamp the check was last skipped on. - * - * Returns 0 if it hasn't been skipped yet. - * - * @return int - * The UNIX timestamp the check was last skipped on (or 0). - */ - public function skippedOn() { - $skipped_on = $this->config->get('skipped_on'); - - if (!is_int($skipped_on)) { - return 0; - } - return $skipped_on; - } - - /** - * Enables the check. Has no effect if the check was not skipped. - */ - public function enable() { - if ($this->isSkipped()) { - $this->config->set('skipped', FALSE); - $this->config->save(); - - // Log. - $context = ['@name' => $this->getTitle()]; - $this->securityReview()->log($this, '@name check no longer skipped', $context, RfcLogLevel::NOTICE); - } - } - - /** - * Marks the check as skipped. - * - * It still can be ran manually, but will remain skipped on the Run & Review - * page. - */ - public function skip() { - if (!$this->isSkipped()) { - // Store skip data. - $this->config->set('skipped', TRUE); - $this->config->set('skipped_by', $this->currentUser()->id()); - $this->config->set('skipped_on', time()); - $this->config->save(); - - // Log. - $context = ['@name' => $this->getTitle()]; - $this->securityReview()->log($this, '@name check skipped', $context, RfcLogLevel::NOTICE); - } - } - - /** - * Stores a result in the state system. - * - * @param \Drupal\security_review\CheckResult $result - * The result to store. - */ - public function storeResult(CheckResult $result) { - if ($result == NULL) { - $context = [ - '@reviewcheck' => $this->getTitle(), - '@namespace' => $this->getNamespace(), - ]; - $this->securityReview()->log($this, 'Unable to store check @reviewcheck for @namespace', $context, RfcLogLevel::CRITICAL); - return; - } - - $findings = $this->storesFindings() ? $result->findings() : []; - $this->state->setMultiple([ - $this->statePrefix . 'last_result.result' => $result->result(), - $this->statePrefix . 'last_result.time' => $result->time(), - $this->statePrefix . 'last_result.visible' => $result->isVisible(), - $this->statePrefix . 'last_result.findings' => $findings, - ]); - } - - /** - * Creates a new CheckResult for this Check. - * - * @param int $result - * The result integer (see the constants defined in CheckResult). - * @param array $findings - * The findings. - * @param bool $visible - * The visibility of the result. - * @param int $time - * The time the test was run. - * - * @return \Drupal\security_review\CheckResult - * The created CheckResult. - */ - public function createResult($result, array $findings = [], $visible = TRUE, $time = NULL) { - return new CheckResult($this, $result, $findings, $visible, $time); - } - - /** - * Returns the Security Review Checklist service. - * - * @return \Drupal\security_review\Checklist - * Security Review's Checklist service. - */ - protected function checklist() { - return $this->container->get('security_review.checklist'); - } - - /** - * Returns the Config factory. - * - * @return \Drupal\Core\Config\ConfigFactory - * Config factory. - */ - protected function configFactory() { - return $this->container->get('config.factory'); - } - - /** - * Returns the service container. - * - * @return \Symfony\Component\DependencyInjection\ContainerInterface - * Service container. - */ - protected function container() { - return $this->container; - } - - /** - * Returns the current Drupal user. - * - * @return \Drupal\Core\Session\AccountProxy - * Current Drupal user. - */ - protected function currentUser() { - return $this->container->get('current_user'); - } - - /** - * Returns the database connection. - * - * @return \Drupal\Core\Database\Connection - * Database connection. - */ - protected function database() { - return $this->container->get('database'); - } - - /** - * Returns the entity manager. - * - * @return \Drupal\Core\Entity\EntityManagerInterface - * Entity manager. - */ - protected function entityManager() { - return $this->container->get('entity.manager'); - } - - /** - * Returns the Drupal Kernel. - * - * @return \Drupal\Core\DrupalKernel - * Drupal Kernel. - */ - protected function kernel() { - return $this->container->get('kernel'); - } - - /** - * Returns the module handler. - * - * @return \Drupal\Core\Extension\ModuleHandler - * Module handler. - */ - protected function moduleHandler() { - return $this->container->get('module_handler'); - } - - /** - * Returns the Security Review Security service. - * - * @return \Drupal\security_review\Security - * Security Review's Security service. - */ - protected function security() { - return $this->container->get('security_review.security'); - } - - /** - * Returns the Security Review service. - * - * @return \Drupal\security_review\SecurityReview - * Security Review service. - */ - protected function securityReview() { - return $this->container->get('security_review'); - } - -} diff --git a/web/modules/contrib/security_review/src/CheckResult.php b/web/modules/contrib/security_review/src/CheckResult.php deleted file mode 100644 index 8307a8b9b..000000000 --- a/web/modules/contrib/security_review/src/CheckResult.php +++ /dev/null @@ -1,168 +0,0 @@ -check = $check; - - // Set the result value. - $result = intval($result); - if ($result < self::SUCCESS || $result > self::INFO) { - $result = self::INFO; - } - $this->result = $result; - - // Set the findings. - $this->findings = $findings; - - // Set the visibility. - $this->visible = $visible; - - // Set the timestamp. - if (!is_int($time)) { - $this->time = time(); - } - else { - $this->time = intval($time); - } - } - - /** - * Combines two CheckResults. - * - * Combines two CheckResults and returns a new one with the old one's fields - * except for the findings which are copied from the fresh result. - * - * @param \Drupal\security_review\CheckResult $old - * The old result to clone. - * @param \Drupal\security_review\CheckResult $fresh - * The new result to copy the findings from. - * - * @return \Drupal\security_review\CheckResult - * The combined result. - */ - public static function combine(CheckResult $old, CheckResult $fresh) { - return new CheckResult($old->check, $old->result, $fresh->findings, $old->visible, $old->time); - } - - /** - * Returns the parent Check. - * - * @return \Drupal\security_review\Check - * The Check that created this result. - */ - public function check() { - return $this->check; - } - - /** - * Returns the outcome of the check. - * - * @return int - * The result integer. - */ - public function result() { - return $this->result; - } - - /** - * Returns the findings. - * - * @return array - * The findings. Contents of this depends on the actual check. - */ - public function findings() { - return $this->findings; - } - - /** - * Returns the timestamp. - * - * @return int - * The timestamp the result was created on. - */ - public function time() { - return $this->time; - } - - /** - * Returns the visibility of the result. - * - * @return bool - * Whether the result should be shown on the UI. - */ - public function isVisible() { - return $this->visible; - } - - /** - * Returns the result message. - * - * @return string - * The result message for this result. - */ - public function resultMessage() { - return $this->check->getMessage($this->result); - } - -} diff --git a/web/modules/contrib/security_review/src/CheckSettings.php b/web/modules/contrib/security_review/src/CheckSettings.php deleted file mode 100644 index 5e9fce9c6..000000000 --- a/web/modules/contrib/security_review/src/CheckSettings.php +++ /dev/null @@ -1,81 +0,0 @@ -check = $check; - $this->config = $config; - } - - /** - * {@inheritdoc} - */ - public function get($key, $default_value = NULL) { - $value = $this->config->get('settings.' . $key); - - if ($value == NULL) { - return $default_value; - } - return $value; - } - - /** - * {@inheritdoc} - */ - public function set($key, $value) { - $this->config->set('settings.' . $key, $value); - $this->config->save(); - return $this; - } - - /** - * {@inheritdoc} - */ - public function buildForm() { - return []; - } - - /** - * {@inheritdoc} - */ - public function validateForm(array &$form, array $values) { - // Validation is optional. - } - - /** - * {@inheritdoc} - */ - public function submitForm(array &$form, array $values) { - // Handle submission. - } - -} diff --git a/web/modules/contrib/security_review/src/CheckSettings/TrustedHostSettings.php b/web/modules/contrib/security_review/src/CheckSettings/TrustedHostSettings.php deleted file mode 100644 index feb95bb64..000000000 --- a/web/modules/contrib/security_review/src/CheckSettings/TrustedHostSettings.php +++ /dev/null @@ -1,38 +0,0 @@ - 'radios', - '#title' => t('Check method'), - '#description' => t('Detecting the $base_url in settings.php can be done via PHP tokenization (recommended) or including the file. Note that if you have custom functionality in your settings.php it will be executed if the file is included. Including the file can result in a more accurate $base_url check if you wrap the setting in conditional statements.'), - '#options' => [ - 'token' => t('Tokenize settings.php (recommended)'), - 'include' => t('Include settings.php'), - ], - '#default_value' => $this->get('method', 'token'), - ]; - - return $form; - } - - /** - * {@inheritdoc} - */ - public function submitForm(array &$form, array $values) { - $this->set('method', $values['method']); - } - -} diff --git a/web/modules/contrib/security_review/src/CheckSettingsInterface.php b/web/modules/contrib/security_review/src/CheckSettingsInterface.php deleted file mode 100644 index 146e12c01..000000000 --- a/web/modules/contrib/security_review/src/CheckSettingsInterface.php +++ /dev/null @@ -1,64 +0,0 @@ -securityReview = $security_review; - $this->moduleHandler = $module_handler; - $this->currentUser = $current_user; - } - - /** - * Array of cached Checks. - * - * @var \Drupal\security_review\Check[] - */ - private static $cachedChecks = []; - - /** - * Clears the cached checks. - */ - public static function clearCache() { - static::$cachedChecks = []; - } - - /** - * Returns every Check. - * - * @return \Drupal\security_review\Check[] - * Array of Checks. - */ - public function getChecks() { - $checks = &static::$cachedChecks; - if (!empty($checks)) { - return $checks; - } - - // Get checks. - $raw_checks = $this->moduleHandler->invokeAll('security_review_checks'); - - // Filter invalid checks. - $checks = []; - foreach ($raw_checks as $raw_check) { - if ($raw_check instanceof Check) { - $checks[] = $raw_check; - } - } - - // Sort the checks. - usort($checks, [$this, 'compareChecks']); - - return $checks; - } - - /** - * Returns the enabled Checks. - * - * @return \Drupal\security_review\Check[] - * Array of enabled Checks. - */ - public function getEnabledChecks() { - $enabled = []; - - foreach (static::getChecks() as $check) { - if (!$check->isSkipped()) { - $enabled[] = $check; - } - } - - return $enabled; - } - - /** - * Groups an array of checks by their namespaces. - * - * @param \Drupal\security_review\Check[] $checks - * The array of Checks to group. - * - * @return array - * Array containing Checks grouped by their namespaces. - */ - public function groupChecksByNamespace(array $checks) { - $output = []; - - foreach ($checks as $check) { - $output[$check->getMachineNamespace()][] = $check; - } - - return $output; - } - - /** - * Runs enabled checks and stores their results. - */ - public function runChecklist() { - if ($this->currentUser->hasPermission('run security checks')) { - $checks = $this->getEnabledChecks(); - $results = $this->runChecks($checks); - $this->storeResults($results); - $this->securityReview->setLastRun(time()); - } - else { - throw new AccessException(); - } - } - - /** - * Runs an array of checks. - * - * @param \Drupal\security_review\Check[] $checks - * The array of Checks to run. - * @param bool $cli - * Whether to call runCli() instead of run(). - * - * @return \Drupal\security_review\CheckResult[] - * The array of CheckResults generated. - */ - public function runChecks(array $checks, $cli = FALSE) { - $results = []; - - foreach ($checks as $check) { - if ($cli) { - $result = $check->runCli(); - } - else { - $result = $check->run(); - } - $this->securityReview->logCheckResult($result); - $results[] = $result; - } - - return $results; - } - - /** - * Stores an array of CheckResults. - * - * @param \Drupal\security_review\CheckResult[] $results - * The CheckResults to store. - */ - public function storeResults(array $results) { - foreach ($results as $result) { - $result->check()->storeResult($result); - } - } - - /** - * Finds a check by its namespace and title. - * - * @param string $namespace - * The machine namespace of the requested check. - * @param string $title - * The machine title of the requested check. - * - * @return null|\Drupal\security_review\Check - * The Check or null if it doesn't exist. - */ - public function getCheck($namespace, $title) { - foreach (static::getChecks() as $check) { - $same_namespace = $check->getMachineNamespace() == $namespace; - $same_title = $check->getMachineTitle() == $title; - if ($same_namespace && $same_title) { - return $check; - } - } - - return NULL; - } - - /** - * Finds a Check by its id. - * - * @param string $id - * The machine namespace of the requested check. - * - * @return null|\Drupal\security_review\Check - * The Check or null if it doesn't exist. - */ - public function getCheckById($id) { - foreach (static::getChecks() as $check) { - if ($check->id() == $id) { - return $check; - } - } - - return NULL; - } - - /** - * Helper function for sorting checks. - * - * @param \Drupal\security_review\Check $a - * Check A. - * @param \Drupal\security_review\Check $b - * Check B. - * - * @return int - * The comparison's result. - */ - public function compareChecks(Check $a, Check $b) { - // If one comes from security_review and the other doesn't, prefer the one - // with the security_review namespace. - $a_is_local = $a->getMachineNamespace() == 'security_review'; - $b_is_local = $b->getMachineNamespace() == 'security_review'; - if ($a_is_local && !$b_is_local) { - return -1; - } - elseif (!$a_is_local && $b_is_local) { - return 1; - } - else { - if ($a->getNamespace() == $b->getNamespace()) { - // If the namespaces match, sort by title. - return strcmp($a->getTitle(), $b->getTitle()); - } - else { - // If the namespaces don't mach, sort by namespace. - return strcmp($a->getNamespace(), $b->getNamespace()); - } - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/AdminPermissions.php b/web/modules/contrib/security_review/src/Checks/AdminPermissions.php deleted file mode 100644 index 5551f328e..000000000 --- a/web/modules/contrib/security_review/src/Checks/AdminPermissions.php +++ /dev/null @@ -1,148 +0,0 @@ -security()->permissions(TRUE); - $all_permission_strings = array_keys($all_permissions); - - // Get permissions for untrusted roles. - $untrusted_permissions = $this->security()->untrustedPermissions(TRUE); - foreach ($untrusted_permissions as $rid => $permissions) { - $intersect = array_intersect($all_permission_strings, $permissions); - foreach ($intersect as $permission) { - if (isset($all_permissions[$permission]['restrict access'])) { - $findings[$rid][] = $permission; - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t("Drupal's permission system is extensive and allows for varying degrees of control. Certain permissions would allow a user total control, or the ability to escalate their control, over your site and should only be granted to trusted users."); - return [ - '#theme' => 'check_help', - '#title' => $this->t('Admin and trusted Drupal permissions'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $output = []; - - foreach ($result->findings() as $rid => $permissions) { - $role = Role::load($rid); - /** @var Role $role */ - $paragraphs = []; - $paragraphs[] = $this->t( - "@role has the following restricted permissions:", - [ - '@role' => Link::createFromRoute( - $role->label(), - 'entity.user_role.edit_permissions_form', - ['user_role' => $role->id()] - )->toString(), - ] - ); - - $output[] = [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $permissions, - ]; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $output = ''; - - foreach ($result->findings() as $rid => $permissions) { - $role = Role::load($rid); - /** @var Role $role */ - - $output .= $this->t( - '@role has @permissions', - [ - '@role' => $role->label(), - '@permissions' => implode(', ', $permissions), - ] - ); - $output .= "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Untrusted roles do not have administrative or trusted Drupal permissions.'); - - case CheckResult::FAIL: - return $this->t('Untrusted roles have been granted administrative or trusted Drupal permissions.'); - - default: - return $this->t("Unexpected result."); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/ErrorReporting.php b/web/modules/contrib/security_review/src/Checks/ErrorReporting.php deleted file mode 100644 index 34dd76557..000000000 --- a/web/modules/contrib/security_review/src/Checks/ErrorReporting.php +++ /dev/null @@ -1,115 +0,0 @@ -configFactory()->get('system.logging') - ->get('error_level'); - - // Determine the result. - if (is_null($error_level) || $error_level != 'hide') { - $result = CheckResult::FAIL; - } - else { - $result = CheckResult::SUCCESS; - } - - return $this->createResult($result, ['level' => $error_level]); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('As a form of hardening your site you should avoid information disclosure. Drupal by default prints errors to the screen and writes them to the log. Error messages disclose the full path to the file where the error occurred.'); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Error reporting'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - if ($result->result() == CheckResult::SUCCESS) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('You have error reporting set to both the screen and the log.'); - $paragraphs[] = Link::createFromRoute( - $this->t('Alter error reporting settings.'), - 'system.logging_settings' - ); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => [], - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - if ($result->result() == CheckResult::SUCCESS) { - return ''; - } - - if (isset($result->findings()['level'])) { - return $this->t('Error level: @level', [ - '@level' => $result->findings()['level'], - ]); - } - return ''; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Error reporting set to log only.'); - - case CheckResult::FAIL: - return $this->t('Errors are written to the screen.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/ExecutablePhp.php b/web/modules/contrib/security_review/src/Checks/ExecutablePhp.php deleted file mode 100644 index dd93617f8..000000000 --- a/web/modules/contrib/security_review/src/Checks/ExecutablePhp.php +++ /dev/null @@ -1,225 +0,0 @@ -httpClient = $this->container->get('http_client'); - } - - /** - * {@inheritdoc} - */ - public function getNamespace() { - return 'Security Review'; - } - - /** - * {@inheritdoc} - */ - public function getTitle() { - return 'Executable PHP'; - } - - /** - * {@inheritdoc} - */ - public function run($cli = FALSE) { - global $base_url; - $result = CheckResult::SUCCESS; - $findings = []; - - // Set up test file data. - $message = 'Security review test ' . date('Ymdhis'); - $content = "httpClient->get($base_url . '/' . $file_path); - if ($response->getStatusCode() == 200 && $response->getBody() === $message) { - $result = CheckResult::FAIL; - $findings[] = 'executable_php'; - } - } - catch (RequestException $e) { - // Access was denied to the file. - } - - // Remove the test file. - if (file_exists('./' . $file_path)) { - @unlink('./' . $file_path); - } - - // Check for presence of the .htaccess file and if the contents are correct. - $htaccess_path = PublicStream::basePath() . '/.htaccess'; - if (!file_exists($htaccess_path)) { - $result = CheckResult::FAIL; - $findings[] = 'missing_htaccess'; - } - else { - // Check whether the contents of .htaccess are correct. - $contents = file_get_contents($htaccess_path); - $expected = FileStorage::htaccessLines(FALSE); - - // Trim each line separately then put them back together. - $contents = implode("\n", array_map('trim', explode("\n", trim($contents)))); - $expected = implode("\n", array_map('trim', explode("\n", trim($expected)))); - - if ($contents !== $expected) { - $result = CheckResult::FAIL; - $findings[] = 'incorrect_htaccess'; - } - - // Check whether .htaccess is writable. - if (!$cli) { - $writable_htaccess = is_writable($htaccess_path); - } - else { - $writable = $this->security()->findWritableFiles([$htaccess_path], TRUE); - $writable_htaccess = !empty($writable); - } - - if ($writable_htaccess) { - $findings[] = 'writable_htaccess'; - if ($result !== CheckResult::FAIL) { - $result = CheckResult::WARN; - } - } - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function runCli() { - return $this->run(TRUE); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('The Drupal files directory is for user-uploaded files and by default provides some protection against a malicious user executing arbitrary PHP code against your site.'); - $paragraphs[] = $this->t('Read more about the risk of PHP code execution on Drupal.org.'); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Executable PHP in files directory'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $paragraphs = []; - foreach ($result->findings() as $label) { - switch ($label) { - case 'executable_php': - $paragraphs[] = $this->t('Security Review was able to execute a PHP file written to your files directory.'); - break; - - case 'missing_htaccess': - $directory = PublicStream::basePath(); - $paragraphs[] = $this->t("The .htaccess file is missing from the files directory at @path", ['@path' => $directory]); - $paragraphs[] = $this->t("Note, if you are using a webserver other than Apache you should consult your server's documentation on how to limit the execution of PHP scripts in this directory."); - break; - - case 'incorrect_htaccess': - $paragraphs[] = $this->t("The .htaccess file exists but does not contain the correct content. It is possible it's been maliciously altered."); - break; - - case 'writable_htaccess': - $paragraphs[] = $this->t("The .htaccess file is writable which poses a risk should a malicious user find a way to execute PHP code they could alter the .htaccess file to allow further PHP code execution."); - break; - } - } - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => [], - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $paragraphs = []; - $directory = PublicStream::basePath(); - foreach ($result->findings() as $label) { - switch ($label) { - case 'executable_php': - $paragraphs[] = $this->t('PHP file executed in @path', ['@path' => $directory]); - break; - - case 'missing_htaccess': - $paragraphs[] = $this->t('.htaccess is missing from @path', ['@path' => $directory]); - break; - - case 'incorrect_htaccess': - $paragraphs[] = $this->t('.htaccess wrong content'); - break; - - case 'writable_htaccess': - $paragraphs[] = $this->t('.htaccess writable'); - break; - } - } - - return implode("\n", $paragraphs); - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('PHP files in the Drupal files directory cannot be executed.'); - - case CheckResult::FAIL: - return $this->t('PHP files in the Drupal files directory can be executed.'); - - case CheckResult::WARN: - return $this->t('The .htaccess file in the files directory is writable.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/FailedLogins.php b/web/modules/contrib/security_review/src/Checks/FailedLogins.php deleted file mode 100644 index 1286dfa62..000000000 --- a/web/modules/contrib/security_review/src/Checks/FailedLogins.php +++ /dev/null @@ -1,155 +0,0 @@ -moduleHandler()->moduleExists('dblog')) { - return $this->createResult(CheckResult::INFO, [], FALSE); - } - - $result = CheckResult::SUCCESS; - $findings = []; - $last_result = $this->lastResult(); - $visible = FALSE; - - // Prepare the query. - $query = $this->database()->select('watchdog', 'w'); - $query->fields('w', [ - 'severity', - 'type', - 'timestamp', - 'message', - 'variables', - 'hostname', - ]); - $query->condition('type', 'user') - ->condition('severity', RfcLogLevel::NOTICE) - ->condition('message', 'Login attempt failed from %ip.'); - if ($last_result instanceof CheckResult) { - // Only check entries that got recorded since the last run of the check. - $query->condition('timestamp', $last_result->time(), '>='); - } - - // Execute the query. - $db_result = $query->execute(); - - // Count the number of failed logins per IP. - $entries = []; - foreach ($db_result as $row) { - $ip = unserialize($row->variables)['%ip']; - $entry_for_ip = &$entries[$ip]; - - if (!isset($entry_for_ip)) { - $entry_for_ip = 0; - } - $entry_for_ip++; - } - - // Filter the IPs with more than 10 failed logins. - if (!empty($entries)) { - foreach ($entries as $ip => $count) { - if ($count > 10) { - $findings[] = $ip; - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - $visible = TRUE; - } - - return $this->createResult($result, $findings, $visible); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('Failed login attempts from the same IP may be an artifact of a malicious user attempting to brute-force their way onto your site as an authenticated user to carry out nefarious deeds.'); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Abundant failed logins from the same IP'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('The following IPs were observed with an abundance of failed login attempts.'); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $result->findings(), - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return ''; - } - - $output = $this->t('Suspicious IP addresses:') . ":\n"; - foreach ($findings as $ip) { - $output .= "\t" . $ip . "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::FAIL: - return $this->t('Failed login attempts from the same IP. These may be a brute-force attack to gain access to your site.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/Field.php b/web/modules/contrib/security_review/src/Checks/Field.php deleted file mode 100644 index b41bc8554..000000000 --- a/web/modules/contrib/security_review/src/Checks/Field.php +++ /dev/null @@ -1,233 +0,0 @@ - 'script', - 'PHP' => '?php', - ]; - - /** @var \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager */ - $entity_type_manager = \Drupal::service('entity_type.manager'); - /** @var \Drupal\Core\Entity\EntityFieldManagerInterface $field_manager */ - $field_manager = \Drupal::service('entity_field.manager'); - foreach ($field_manager->getFieldMap() as $entity_type_id => $fields) { - $field_storage_definitions = $field_manager->getFieldStorageDefinitions($entity_type_id); - foreach ($fields as $field_name => $field) { - if (!isset($field_storage_definitions[$field_name])) { - continue; - } - $field_storage_definition = $field_storage_definitions[$field_name]; - if (in_array($field_storage_definition->getType(), $field_types)) { - if ($field_storage_definition instanceof FieldStorageConfig) { - $table = $entity_type_id . '__' . $field_name; - $separator = '_'; - $id = 'entity_id'; - } - else { - $table = $entity_type_id . '_field_data'; - $separator = '__'; - $id = $entity_type_manager->getDefinition($entity_type_id)->getKey('id'); - } - $rows = \Drupal::database()->select($table, 't') - ->fields('t') - ->execute() - ->fetchAll(); - foreach ($rows as $row) { - foreach (array_keys($field_storage_definition->getSchema()['columns']) as $column) { - $column_name = $field_name . $separator . $column; - foreach ($tags as $vulnerability => $tag) { - if (strpos($row->{$column_name}, '<' . $tag) !== FALSE) { - // Vulnerability found. - $findings[$entity_type_id][$row->{$id}][$field_name][] = $vulnerability; - } - } - } - } - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('Script and PHP code in content does not align with Drupal best practices and may be a vulnerability if an untrusted user is allowed to edit such content. It is recommended you remove such contents.'); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Dangerous tags in content'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('The following items potentially have dangerous tags.'); - - $items = []; - foreach ($findings as $entity_type_id => $entities) { - foreach ($entities as $entity_id => $fields) { - $entity = $this->entityManager() - ->getStorage($entity_type_id) - ->load($entity_id); - - foreach ($fields as $field => $finding) { - $items[] = $this->t( - '@vulnerabilities found in @field field of @label', - [ - '@vulnerabilities' => implode(' and ', $finding), - '@field' => $field, - '@label' => $entity->label(), - ':url' => $this->getEntityLink($entity), - ] - ); - } - } - } - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $items, - ]; - } - - /** - * Attempt to get a good link for the given entity. - * - * Falls back on a string with entity type id and id if no good link can - * be found. - * - * @param \Drupal\Core\Entity\Entity $entity - * The entity. - * - * @return string - */ - protected function getEntityLink(Entity $entity) { - try { - $url = $entity->toUrl('edit-form'); - } - catch (UndefinedLinkTemplateException $e) { - $url = NULL; - } - if ($url === NULL) { - try { - $url = $entity->toUrl(); - } - catch (UndefinedLinkTemplateException $e) { - $url = NULL; - } - } - - return $url !== NULL ? $url->toString() : ($entity->getEntityTypeId() . ':' . $entity->id()); - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return ''; - } - - $output = ''; - foreach ($findings as $entity_type_id => $entities) { - foreach ($entities as $entity_id => $fields) { - $entity = $this->entityManager() - ->getStorage($entity_type_id) - ->load($entity_id); - - foreach ($fields as $field => $finding) { - $output .= "\t" . $this->t( - '@vulnerabilities in @field of :link', - [ - '@vulnerabilities' => implode(' and ', $finding), - '@field' => $field, - ':link' => $this->getEntityLink($entity), - ] - ) . "\n"; - } - } - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Dangerous tags were not found in any submitted content (fields).'); - - case CheckResult::FAIL: - return $this->t('Dangerous tags were found in submitted content (fields).'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/Field.php.rej b/web/modules/contrib/security_review/src/Checks/Field.php.rej deleted file mode 100644 index a2413efaf..000000000 --- a/web/modules/contrib/security_review/src/Checks/Field.php.rej +++ /dev/null @@ -1,23 +0,0 @@ ---- src/Checks/Field.php -+++ src/Checks/Field.php -@@ -86,7 +86,7 @@ class Field extends Check { - /** @var TypedDataInterface $property */ - $value = $property->getValue(); - if (is_string($value)) { -- $field_name = $property->getDataDefinition()->getLabel(); -+ $field_name = $item->getFieldDefinition()->getLabel(); - foreach ($tags as $vulnerability => $tag) { - if (strpos($value, '<' . $tag) !== FALSE) { - // Vulnerability found. -@@ -138,9 +138,9 @@ class Field extends Check { - ->load($entity_id); - - foreach ($fields as $field => $finding) { -- $url = $entity->urlInfo('edit-form'); -+ $url = $entity->toUrl('edit-form')->toString(); - if ($url === NULL) { -- $url = $entity->urlInfo(); -+ $url = $entity->toUrl()->toString(); - } - $items[] = $this->t( - '@vulnerabilities found in @field field of @label', diff --git a/web/modules/contrib/security_review/src/Checks/FilePermissions.php b/web/modules/contrib/security_review/src/Checks/FilePermissions.php deleted file mode 100644 index 17972b22b..000000000 --- a/web/modules/contrib/security_review/src/Checks/FilePermissions.php +++ /dev/null @@ -1,242 +0,0 @@ -getFileList('.'); - $writable = $this->security()->findWritableFiles($file_list, $cli); - - // Try creating or appending files. - // Assume it doesn't work. - $create_status = FALSE; - $append_status = FALSE; - - if (!$cli) { - $append_message = $this->t("Your web server should not be able to write to your modules directory. This is a security vulnerable. Consult the Security Review file permissions check help for mitigation steps."); - $directory = $this->moduleHandler() - ->getModule('security_review') - ->getPath(); - - // Write a file with the timestamp. - $file = './' . $directory . '/file_write_test.' . date('Ymdhis'); - if ($file_create = @fopen($file, 'w')) { - $create_status = fwrite($file_create, date('Ymdhis') . ' - ' . $append_message . "\n"); - fclose($file_create); - } - - // Try to append to our IGNOREME file. - $file = './' . $directory . '/IGNOREME.txt'; - if ($file_append = @fopen($file, 'a')) { - $append_status = fwrite($file_append, date('Ymdhis') . ' - ' . $append_message . "\n"); - fclose($file_append); - } - } - - if (!empty($writable) || $create_status || $append_status) { - $result = CheckResult::FAIL; - } - - return $this->createResult($result, $writable); - } - - /** - * {@inheritdoc} - */ - public function runCli() { - if (!$this->securityReview()->isServerPosix()) { - return $this->createResult(CheckResult::INFO); - } - - return $this->run(TRUE); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('It is dangerous to allow the web server to write to files inside the document root of your server. Doing so could allow Drupal to write files that could then be executed. An attacker might use such a vulnerability to take control of your site. An exception is the Drupal files, private files, and temporary directories which Drupal needs permission to write to in order to provide features like file attachments.'); - $paragraphs[] = $this->t('In addition to inspecting existing directories, this test attempts to create and write to your file system. Look in your security_review module directory on the server for files named file_write_test.YYYYMMDDHHMMSS and for a file called IGNOREME.txt which gets a timestamp appended to it if it is writeable.'); - $paragraphs[] = new Link( - $this->t('Read more about file system permissions in the handbooks.'), - Url::fromUri('http://drupal.org/node/244924') - ); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Web server file system permissions'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - if ($result->result() == CheckResult::SUCCESS) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('The following files and directories appear to be writeable by your web server. In most cases you can fix this by simply altering the file permissions or ownership. If you have command-line access to your host try running "chmod 644 [file path]" where [file path] is one of the following paths (relative to your webroot). For more information consult the Drupal.org handbooks on file permissions.'); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $result->findings(), - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - if ($result->result() == CheckResult::SUCCESS) { - return ''; - } - - $output = $this->t('Writable files:') . "\n"; - foreach ($result->findings() as $file) { - $output .= "\t" . $file . "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Drupal installation files and directories (except required) are not writable by the server.'); - - case CheckResult::FAIL: - return $this->t('Some files and directories in your install are writable by the server.'); - - case CheckResult::INFO: - return $this->t('The test cannot be run on this system.'); - - default: - return $this->t('Unexpected result.'); - } - } - - /** - * Scans a directory recursively and returns the files and directories inside. - * - * @param string $directory - * The directory to scan. - * @param string[] $parsed - * Array of already parsed real paths. - * @param string[] $ignore - * Array of file names to ignore. - * - * @return string[] - * The items found. - */ - protected function getFileList($directory, array &$parsed = NULL, array &$ignore = NULL) { - // Initialize $parsed and $ignore arrays. - if ($parsed === NULL) { - $parsed = [realpath($directory)]; - } - if ($ignore === NULL) { - $ignore = $this->getIgnoreList(); - } - - // Start scanning. - $items = []; - if ($handle = opendir($directory)) { - while (($file = readdir($handle)) !== FALSE) { - // Don't check hidden files or ones we said to ignore. - $path = $directory . "/" . $file; - if ($file[0] != "." && !in_array($file, $ignore) && !in_array(realpath($path), $ignore)) { - if (is_dir($path) && !in_array(realpath($path), $parsed)) { - $parsed[] = realpath($path); - $items = array_merge($items, $this->getFileList($path, $parsed, $ignore)); - } - $items[] = preg_replace("/\/\//si", "/", $path); - } - } - closedir($handle); - } - - return $items; - } - - /** - * Returns an array of relative and canonical paths to ignore. - * - * @return string[] - * List of relative and canonical file paths to ignore. - */ - protected function getIgnoreList() { - $file_path = PublicStream::basePath(); - $ignore = ['..', 'CVS', '.git', '.svn', '.bzr', realpath($file_path)]; - - // Add temporary files directory if it's set. - $temp_path = file_directory_temp(); - if (!empty($temp_path)) { - $ignore[] = realpath('./' . rtrim($temp_path, '/')); - } - - // Add private files directory if it's set. - $private_files = PrivateStream::basePath(); - if (!empty($private_files)) { - // Remove leading slash if set. - if (strrpos($private_files, '/') !== FALSE) { - $private_files = substr($private_files, strrpos($private_files, '/') + 1); - } - $ignore[] = $private_files; - } - - $this->moduleHandler()->alter('security_review_file_ignore', $ignore); - return $ignore; - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/InputFormats.php b/web/modules/contrib/security_review/src/Checks/InputFormats.php deleted file mode 100644 index 4145540a3..000000000 --- a/web/modules/contrib/security_review/src/Checks/InputFormats.php +++ /dev/null @@ -1,190 +0,0 @@ -moduleHandler()->moduleExists('filter')) { - return $this->createResult(CheckResult::INFO); - } - - $result = CheckResult::SUCCESS; - $findings = []; - - $formats = filter_formats(); - $untrusted_roles = $this->security()->untrustedRoles(); - $unsafe_tags = $this->security()->unsafeTags(); - - foreach ($formats as $format) { - $format_roles = array_keys(filter_get_roles_by_format($format)); - $intersect = array_intersect($format_roles, $untrusted_roles); - - if (!empty($intersect)) { - // Untrusted users can use this format. - // Check format for enabled HTML filter. - $filter_html_enabled = FALSE; - if ($format->filters()->has('filter_html')) { - $filter_html_enabled = $format->filters('filter_html') - ->getConfiguration()['status']; - } - $filter_html_escape_enabled = FALSE; - if ($format->filters()->has('filter_html_escape')) { - $filter_html_escape_enabled = $format->filters('filter_html_escape') - ->getConfiguration()['status']; - } - - if ($filter_html_enabled) { - $filter = $format->filters('filter_html'); - - // Check for unsafe tags in allowed tags. - $allowed_tags = array_keys($filter->getHTMLRestrictions()['allowed']); - foreach (array_intersect($allowed_tags, $unsafe_tags) as $tag) { - // Found an unsafe tag. - $findings['tags'][$format->id()] = $tag; - } - } - elseif (!$filter_html_escape_enabled) { - // Format is usable by untrusted users but does not contain the HTML - // Filter or the HTML escape. - $findings['formats'][$format->id()] = $format->label(); - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - } - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t("Certain HTML tags can allow an attacker to take control of your site. Drupal's input format system makes use of a set filters to run on incoming text. The 'HTML Filter' strips out harmful tags and Javascript events and should be used on all formats accessible by untrusted users."); - $paragraphs[] = new Link( - $this->t("Read more about Drupal's input formats in the handbooks."), - Url::fromUri('http://drupal.org/node/224921') - ); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Allowed HTML tags in text formats'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $output = []; - - if (!empty($result->findings()['tags'])) { - $paragraphs = []; - $paragraphs[] = Link::createFromRoute( - $this->t('Review your text formats.'), - 'filter.admin_overview' - ); - $paragraphs[] = $this->t('It is recommended you remove the following tags from roles accessible by untrusted users.'); - $output[] = [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $result->findings()['tags'], - ]; - } - - if (!empty($result->findings()['formats'])) { - $paragraphs = []; - $paragraphs[] = $this->t('The following formats are usable by untrusted roles and do not filter or escape allowed HTML tags.'); - $output[] = [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $result->findings()['formats'], - ]; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $output = ''; - - if (!empty($result->findings()['tags'])) { - $output .= $this->t('Tags') . "\n"; - foreach ($result->findings()['tags'] as $tag) { - $output .= "\t$tag\n"; - } - } - - if (!empty($result->findings()['formats'])) { - $output .= $this->t('Formats') . "\n"; - foreach ($result->findings()['formats'] as $format) { - $output .= "\t$format\n"; - } - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Untrusted users are not allowed to input dangerous HTML tags.'); - - case CheckResult::FAIL: - return $this->t('Untrusted users are allowed to input dangerous HTML tags.'); - - case CheckResult::INFO: - return $this->t('Module filter is not enabled.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/PrivateFiles.php b/web/modules/contrib/security_review/src/Checks/PrivateFiles.php deleted file mode 100644 index e40649e15..000000000 --- a/web/modules/contrib/security_review/src/Checks/PrivateFiles.php +++ /dev/null @@ -1,114 +0,0 @@ -createResult($result, ['path' => $file_directory_path], $visible); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t("If you have Drupal's private files feature enabled you should move the files directory outside of the web server's document root. Drupal will secure access to files that it renders the link to, but if a user knows the actual system path they can circumvent Drupal's private files feature. You can protect against this by specifying a files directory outside of the webserver root."); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Private files'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - if ($result->result() != CheckResult::FAIL) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('Your files directory is not outside of the server root.'); - $paragraphs[] = Link::createFromRoute( - $this->t('Edit the files directory path.'), - 'system.file_system_settings' - ); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => [], - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - if ($result->result() != CheckResult::FAIL) { - return ''; - } - - return $this->t('Private files directory: @path', ['@path' => $result->findings()['path']]); - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Private files directory is outside the web server root.'); - - case CheckResult::FAIL: - return $this->t('Private files is enabled but the specified directory is not secure outside the web server root.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/QueryErrors.php b/web/modules/contrib/security_review/src/Checks/QueryErrors.php deleted file mode 100644 index ed61010dd..000000000 --- a/web/modules/contrib/security_review/src/Checks/QueryErrors.php +++ /dev/null @@ -1,168 +0,0 @@ -moduleHandler()->moduleExists('dblog')) { - return $this->createResult(CheckResult::INFO, [], FALSE); - } - - $result = CheckResult::SUCCESS; - $findings = []; - $last_result = $this->lastResult(); - $visible = FALSE; - - // Prepare the query. - $query = $this->database()->select('watchdog', 'w'); - $query->fields('w', [ - 'severity', - 'type', - 'timestamp', - 'message', - 'variables', - 'hostname', - ]); - $query->condition('type', 'php')->condition('severity', RfcLogLevel::ERROR); - if ($last_result instanceof CheckResult) { - // Only check entries that got recorded since the last run of the check. - $query->condition('timestamp', $last_result->time(), '>='); - } - - // Execute the query. - $db_result = $query->execute(); - - // Count the number of query errors per IP. - $entries = []; - foreach ($db_result as $row) { - // Get the message. - if ($row->variables === 'N;') { - $message = $row->message; - } - else { - $message = $this->t($row->message, unserialize($row->variables)); - } - - // Get the IP. - $ip = $row->hostname; - - // Search for query errors. - $message_contains_sql = strpos($message, 'SQL') !== FALSE; - $message_contains_select = strpos($message, 'SELECT') !== FALSE; - if ($message_contains_sql && $message_contains_select) { - $entry_for_ip = &$entries[$ip]; - - if (!isset($entry_for_ip)) { - $entry_for_ip = 0; - } - $entry_for_ip++; - } - } - - // Filter the IPs with more than 10 query errors. - if (!empty($entries)) { - foreach ($entries as $ip => $count) { - if ($count > 10) { - $findings[] = $ip; - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - $visible = TRUE; - } - - return $this->createResult($result, $findings, $visible); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('Database errors triggered from the same IP may be an artifact of a malicious user attempting to probe the system for weaknesses like SQL injection or information disclosure.'); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Abundant query errors from the same IP'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('The following IPs were observed with an abundance of query errors.'); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $result->findings(), - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return ''; - } - - $output = $this->t('Suspicious IP addresses:') . ":\n"; - foreach ($findings as $ip) { - $output .= "\t" . $ip . "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::FAIL: - return $this->t('Query errors from the same IP. These may be a SQL injection attack or an attempt at information disclosure.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/TemporaryFiles.php b/web/modules/contrib/security_review/src/Checks/TemporaryFiles.php deleted file mode 100644 index cbdb0656c..000000000 --- a/web/modules/contrib/security_review/src/Checks/TemporaryFiles.php +++ /dev/null @@ -1,128 +0,0 @@ -security()->sitePath() . '/'; - $dir = scandir($site_path); - foreach ($dir as $file) { - // Set full path to only files. - if (!is_dir($file)) { - $files[] = $site_path . $file; - } - } - $this->moduleHandler()->alter('security_review_temporary_files', $files); - - // Analyze the files' names. - foreach ($files as $path) { - $matches = []; - if (file_exists($path) && preg_match('/.*(~|\.sw[op]|\.bak|\.orig|\.save)$/', $path, $matches) !== FALSE && !empty($matches)) { - // Found a temporary file. - $findings[] = $path; - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t("Some file editors create temporary copies of a file that can be left on the file system. A copy of a sensitive file like Drupal's settings.php may be readable by a malicious user who could use that information to further attack a site."); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Sensitive temporary files'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t("The following are extraneous files in your Drupal installation that can probably be removed. You should confirm you have saved any of your work in the original files prior to removing these."); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $findings, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return ''; - } - - $output = $this->t('Temporary files:') . "\n"; - foreach ($findings as $file) { - $output .= "\t" . $file . "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('No sensitive temporary files were found.'); - - case CheckResult::FAIL: - return $this->t('Sensitive temporary files were found on your files system.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/TrustedHosts.php b/web/modules/contrib/security_review/src/Checks/TrustedHosts.php deleted file mode 100644 index 947f32d85..000000000 --- a/web/modules/contrib/security_review/src/Checks/TrustedHosts.php +++ /dev/null @@ -1,167 +0,0 @@ -settings = new TrustedHostSettings($this, $this->config); - } - - /** - * {@inheritdoc} - */ - public function getNamespace() { - return 'Security Review'; - } - - /** - * {@inheritdoc} - */ - public function getTitle() { - return 'Trusted hosts'; - } - - /** - * {@inheritdoc} - */ - public function run() { - $result = CheckResult::FAIL; - $base_url_set = FALSE; - $trusted_host_patterns_set = FALSE; - $findings = []; - $settings_php = $this->security()->sitePath() . '/settings.php'; - - if (!file_exists($settings_php)) { - return $this->createResult(CheckResult::INFO, [], FALSE); - } - - if ($this->settings()->get('method', 'token') === 'token') { - // Use tokenization. - $content = file_get_contents($settings_php); - $tokens = token_get_all($content); - - $prev_settings_line = -1; - foreach ($tokens as $token) { - if (is_array($token)) { - // Get information about the current token. - $line = $token[2]; - $is_variable = $token[0] === T_VARIABLE; - $is_string = $token[0] === T_CONSTANT_ENCAPSED_STRING; - $is_settings = $is_variable ? $token[1] == '$settings' : FALSE; - $is_base_url = $token[1] == '$base_url'; - $is_thp = trim($token[1], "\"'") == 'trusted_host_patterns'; - $is_after_settings = $line == $prev_settings_line; - - // Check for $base_url. - if ($is_variable && $is_base_url) { - $base_url_set = TRUE; - $result = CheckResult::SUCCESS; - } - - // Check for $settings['trusted_host_patterns']. - if ($is_after_settings && $is_string && $is_thp) { - $trusted_host_patterns_set = TRUE; - $result = CheckResult::SUCCESS; - } - - // If found both settings stop the review. - if ($base_url_set && $trusted_host_patterns_set) { - // Got everything we need. - break; - } - - // Store last $settings line. - if ($is_settings) { - $prev_settings_line = $line; - } - } - } - } - else { - // Use inclusion. - include $settings_php; - $base_url_set = isset($base_url); - $trusted_host_patterns_set = isset($settings['trusted_host_patterns']); - } - - if ($result === CheckResult::FAIL) { - // Provide information if the check failed. - global $base_url; - $findings['base_url'] = $base_url; - $findings['settings'] = $settings_php; - $findings['base_url_set'] = $base_url_set; - $findings['trusted_host_patterns_set'] = $trusted_host_patterns_set; - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t('Often Drupal needs to know the URL(s) it is responding from in order to build full links back to itself (e.g. password reset links sent via email). Until you explicitly tell Drupal what full or partial URL(s) it should respond for it must dynamically detect it based on the incoming request, something that can be malicously spoofed in order to trick someone into unknowningly visiting an attacker\'s site (known as a HTTP host header attack).'); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Drupal trusted hosts'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - global $base_url; - if ($result->result() !== CheckResult::FAIL) { - return []; - } - - $settings_php = $this->security()->sitePath() . '/settings.php'; - - $paragraphs = []; - $paragraphs[] = $this->t('This site is responding from the URL: :url.', [':url' => $base_url]); - $paragraphs[] = $this->t('If the site should be available only at that URL it is recommended that you set it as the $base_url variable in the settings.php file at @file.', ['@file' => $settings_php]); - $paragraphs[] = $this->t('If the site has multiple URLs it can respond from you should whitelist host patterns with trusted_host_patterns in settings.php.'); - $paragraphs[] = new Link($this->t('Read more about HTTP Host Header attacks and setting trusted_host_patterns.'), Url::fromUri('https://www.drupal.org/node/1992030')); - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => [], - ]; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Either $base_url or trusted_host_patterns is set.'); - - case CheckResult::FAIL: - return $this->t('Neither $base_url nor trusted_host_patterns is set.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/UploadExtensions.php b/web/modules/contrib/security_review/src/Checks/UploadExtensions.php deleted file mode 100644 index 8cfe5ad20..000000000 --- a/web/modules/contrib/security_review/src/Checks/UploadExtensions.php +++ /dev/null @@ -1,186 +0,0 @@ -moduleHandler()->moduleExists('field')) { - return $this->createResult(CheckResult::INFO); - } - - $result = CheckResult::SUCCESS; - $findings = []; - - // Check field configuration entities. - foreach (FieldConfig::loadMultiple() as $entity) { - /** @var FieldConfig $entity */ - $extensions = $entity->getSetting('file_extensions'); - if ($extensions != NULL) { - $extensions = explode(' ', $extensions); - $intersect = array_intersect($extensions, $this->security()->unsafeExtensions()); - // $intersect holds the unsafe extensions this entity allows. - foreach ($intersect as $unsafe_extension) { - $findings[$entity->id()][] = $unsafe_extension; - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t( - 'File and image fields allow for uploaded files. Some extensions are considered dangerous because the files can be evaluated and then executed in the browser. A malicious user could use this opening to gain control of your site. Review all fields on your site.', - [':url' => Url::fromRoute('entity.field_storage_config.collection')->toString()] - ); - - return [ - '#theme' => 'check_help', - '#title' => 'Allowed upload extensions', - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('The following extensions are considered unsafe and should be removed or limited from use. Or, be sure you are not granting untrusted users the ability to upload files.'); - - $items = []; - foreach ($findings as $entity_id => $unsafe_extensions) { - $entity = FieldConfig::load($entity_id); - /** @var FieldConfig $entity */ - - foreach ($unsafe_extensions as $extension) { - $item = $this->t( - 'Review @type in @field field on @bundle', - [ - '@type' => $extension, - '@field' => $entity->label(), - '@bundle' => $entity->getTargetBundle(), - ] - ); - - // Try to get an edit url. - try { - $url_params = ['field_config' => $entity->id()]; - if ($entity->getTargetEntityTypeId() == 'node') { - $url_params['node_type'] = $entity->getTargetBundle(); - } - $items[] = Link::createFromRoute( - $item, - sprintf('entity.field_config.%s_field_edit_form', $entity->getTargetEntityTypeId()), - $url_params - ); - } - catch (RouteNotFoundException $e) { - $items[] = $item; - } - } - } - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $items, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return ''; - } - - $output = ''; - foreach ($findings as $entity_id => $unsafe_extensions) { - $entity = FieldConfig::load($entity_id); - /** @var FieldConfig $entity */ - - $output .= $this->t( - '@bundle: field @field', - [ - '@bundle' => $entity->getTargetBundle(), - '@field' => $entity->label(), - ] - ); - $output .= "\n\t" . implode(', ', $unsafe_extensions) . "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Only safe extensions are allowed for uploaded files and images.'); - - case CheckResult::FAIL: - return $this->t('Unsafe file extensions are allowed in uploads.'); - - case CheckResult::INFO: - return $this->t('Module field is not enabled.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Checks/ViewsAccess.php b/web/modules/contrib/security_review/src/Checks/ViewsAccess.php deleted file mode 100644 index 5a28b193b..000000000 --- a/web/modules/contrib/security_review/src/Checks/ViewsAccess.php +++ /dev/null @@ -1,150 +0,0 @@ -moduleHandler()->moduleExists('views')) { - return $this->createResult(CheckResult::INFO); - } - - $result = CheckResult::SUCCESS; - $findings = []; - - $views = View::loadMultiple(); - /** @var View[] $views */ - - // Iterate through views and their displays. - foreach ($views as $view) { - if ($view->status()) { - foreach ($view->get('display') as $display_name => $display) { - $access = &$display['display_options']['access']; - if (isset($access) && $access['type'] == 'none') { - // Access is not controlled for this display. - $findings[$view->id()][] = $display_name; - } - } - } - } - - if (!empty($findings)) { - $result = CheckResult::FAIL; - } - - return $this->createResult($result, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - $paragraphs = []; - $paragraphs[] = $this->t("Views can check if the user is allowed access to the content. It is recommended that all Views implement some amount of access control, at a minimum checking for the permission 'access content'."); - - return [ - '#theme' => 'check_help', - '#title' => $this->t('Views access'), - '#paragraphs' => $paragraphs, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluate(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return []; - } - - $paragraphs = []; - $paragraphs[] = $this->t('The following View displays do not check access.'); - - $items = []; - foreach ($findings as $view_id => $displays) { - $view = View::load($view_id); - /** @var View $view */ - - foreach ($displays as $display) { - $items[] = Link::createFromRoute( - $view->label() . ': ' . $display, - 'entity.view.edit_display_form', - [ - 'view' => $view_id, - 'display_id' => $display, - ] - ); - } - } - - return [ - '#theme' => 'check_evaluation', - '#paragraphs' => $paragraphs, - '#items' => $items, - ]; - } - - /** - * {@inheritdoc} - */ - public function evaluatePlain(CheckResult $result) { - $findings = $result->findings(); - if (empty($findings)) { - return ''; - } - - $output = $this->t('Views without access check:') . ":\n"; - foreach ($findings as $view_id => $displays) { - $output .= "\t" . $view_id . ": " . implode(', ', $displays) . "\n"; - } - - return $output; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - switch ($result_const) { - case CheckResult::SUCCESS: - return $this->t('Views are access controlled.'); - - case CheckResult::FAIL: - return $this->t('There are Views that do not provide any access checks.'); - - case CheckResult::INFO: - return $this->t('Module views is not enabled.'); - - default: - return $this->t('Unexpected result.'); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Controller/ChecklistController.php b/web/modules/contrib/security_review/src/Controller/ChecklistController.php deleted file mode 100644 index 1ce78b6c2..000000000 --- a/web/modules/contrib/security_review/src/Controller/ChecklistController.php +++ /dev/null @@ -1,166 +0,0 @@ -csrfToken = $csrf_token_generator; - $this->checklist = $checklist; - $this->securityReview = $security_review; - } - - /** - * {@inheritdoc} - */ - public static function create(ContainerInterface $container) { - return new static( - $container->get('csrf_token'), - $container->get('security_review'), - $container->get('security_review.checklist') - ); - } - - /** - * Creates the Run & Review page. - * - * @return array - * The 'Run & Review' page's render array. - */ - public function index() { - $run_form = []; - - // If the user has the required permissions, show the RunForm. - if ($this->currentUser()->hasPermission('run security checks')) { - // Get the Run form. - $run_form = $this->formBuilder() - ->getForm('Drupal\security_review\Form\RunForm'); - - // Close the Run form if there are results. - if ($this->securityReview->getLastRun() > 0) { - $run_form['run_form']['#open'] = FALSE; - } - } - - // Print the results if any. - if ($this->securityReview->getLastRun() <= 0) { - // If they haven't configured the site, prompt them to do so. - if (!$this->securityReview->isConfigured()) { - drupal_set_message($this->t('It appears this is your first time using the Security Review checklist. Before running the checklist please review the settings page at admin/reports/security-review/settings to set which roles are untrusted.', - [':url' => Url::fromRoute('security_review.settings')->toString()] - ), 'warning'); - } - } - - return [$run_form, $this->results()]; - } - - /** - * Creates the results' table. - * - * @return array - * The render array for the result table. - */ - public function results() { - // If there are no results return. - if ($this->securityReview->getLastRun() <= 0) { - return []; - } - - $checks = []; - foreach ($this->checklist->getChecks() as $check) { - // Initialize with defaults. - $check_info = [ - 'message' => $this->t( - 'The check "@name" hasn\'t been run yet.', - ['@name' => $check->getTitle()] - ), - 'skipped' => $check->isSkipped(), - ]; - - // Get last result. - $last_result = $check->lastResult(); - if ($last_result != NULL) { - if (!$last_result->isVisible()) { - continue; - } - $check_info['result'] = $last_result->result(); - $check_info['message'] = $last_result->resultMessage(); - } - - // Determine help link. - $check_info['help_link'] = Link::createFromRoute( - 'Details', - 'security_review.help', - [ - 'namespace' => $check->getMachineNamespace(), - 'title' => $check->getMachineTitle(), - ] - ); - - // Add toggle button. - $toggle_text = $check->isSkipped() ? 'Enable' : 'Skip'; - $check_info['toggle_link'] = Link::createFromRoute($toggle_text, - 'security_review.toggle', - ['check_id' => $check->id()], - ['query' => ['token' => $this->csrfToken->get($check->id())]] - ); - - // Add to array of completed checks. - $checks[] = $check_info; - } - - return [ - '#theme' => 'run_and_review', - '#date' => $this->securityReview->getLastRun(), - '#checks' => $checks, - '#attached' => [ - 'library' => ['security_review/run_and_review'], - ], - ]; - } - -} diff --git a/web/modules/contrib/security_review/src/Controller/HelpController.php b/web/modules/contrib/security_review/src/Controller/HelpController.php deleted file mode 100644 index 048be73fb..000000000 --- a/web/modules/contrib/security_review/src/Controller/HelpController.php +++ /dev/null @@ -1,203 +0,0 @@ -checklist = $checklist; - $this->securityReview = $security_review; - $this->dateFormatter = $dateFormatter; - } - - /** - * {@inheritdoc} - */ - public static function create(ContainerInterface $container) { - return new static( - $container->get('security_review'), - $container->get('security_review.checklist'), - $container->get('date.formatter') - ); - } - - /** - * Serves as an entry point for the help pages. - * - * @param string|NULL $namespace - * The namespace of the check (null if general page). - * @param string $title - * The name of the check. - * - * @return array - * The requested help page. - */ - public function index($namespace, $title) { - // If no namespace is set, print the general help page. - if ($namespace === NULL) { - return $this->generalHelp(); - } - - // Print check-specific help. - return $this->checkHelp($namespace, $title); - } - - /** - * Returns the general help page. - * - * @return array - * The general help page. - */ - private function generalHelp() { - $paragraphs = []; - - // Print the general help. - $paragraphs[] = $this->t('You should take the security of your site very seriously. Fortunately, Drupal is fairly secure by default. The Security Review module automates many of the easy-to-make mistakes that render your site insecure, however it does not automatically make your site impenetrable. You should give care to what modules you install and how you configure your site and server. Be mindful of who visits your site and what features you expose for their use.'); - $paragraphs[] = $this->t('You can read more about securing your site in the drupal.org handbooks and on CrackingDrupal.com. There are also additional modules you can install to secure or protect your site. Be aware though that the more modules you have running on your site the greater (usually) attack area you expose.'); - $paragraphs[] = $this->t('Drupal.org Handbook: Introduction to security-related contrib modules'); - - // Print the list of security checks with links to their help pages. - $checks = []; - foreach ($this->checklist->getChecks() as $check) { - // Get the namespace array's reference. - $check_namespace = &$checks[$check->getMachineNamespace()]; - - // Set up the namespace array if not set. - if (!isset($check_namespace)) { - $check_namespace['namespace'] = $check->getNamespace(); - $check_namespace['check_links'] = []; - } - - // Add the link pointing to the check-specific help. - $check_namespace['check_links'][] = Link::createFromRoute( - $this->t('@title', ['@title' => $check->getTitle()]), - 'security_review.help', - [ - 'namespace' => $check->getMachineNamespace(), - 'title' => $check->getMachineTitle(), - ] - ); - } - - return [ - '#theme' => 'general_help', - '#paragraphs' => $paragraphs, - '#checks' => $checks, - ]; - } - - /** - * Returns a check-specific help page. - * - * @param string $namespace - * The namespace of the check. - * @param string $title - * The name of the check. - * - * @return array - * The check's help page. - * - * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException - * If the check is not found. - */ - private function checkHelp($namespace, $title) { - // Get the requested check. - $check = $this->checklist->getCheck($namespace, $title); - - // If the check doesn't exist, throw 404. - if ($check == NULL) { - throw new NotFoundHttpException(); - } - - // Print the help page. - $output = []; - $output[] = $check->help(); - - // If the check is skipped print the skip message, else print the - // evaluation. - if ($check->isSkipped()) { - - if ($check->skippedBy() != NULL) { - $user = $check->skippedBy()->link(); - } - else { - $user = 'Anonymous'; - } - - $skip_message = $this->t( - 'Check marked for skipping on @date by @user', - [ - '@date' => $this->dateFormatter->format($check->skippedOn()), - '@user' => $user, - ] - ); - - $output[] = [ - '#type' => 'markup', - '#markup' => "

    $skip_message

    ", - ]; - } - else { - // Evaluate last result, if any. - $last_result = $check->lastResult(TRUE); - if ($last_result instanceof CheckResult) { - // Separator. - $output[] = [ - '#type' => 'markup', - '#markup' => '
    ', - ]; - - // Evaluation page. - $output[] = $check->evaluate($last_result); - } - } - - // Return the completed page. - return $output; - } - -} diff --git a/web/modules/contrib/security_review/src/Controller/ToggleController.php b/web/modules/contrib/security_review/src/Controller/ToggleController.php deleted file mode 100644 index 4fd9cfefe..000000000 --- a/web/modules/contrib/security_review/src/Controller/ToggleController.php +++ /dev/null @@ -1,134 +0,0 @@ -checklist = $checklist; - $this->csrfToken = $csrf_token_generator; - $this->request = $request->getCurrentRequest(); - } - - /** - * {@inheritdoc} - */ - public static function create(ContainerInterface $container) { - return new static( - $container->get('csrf_token'), - $container->get('request_stack'), - $container->get('security_review.checklist') - ); - } - - /** - * Handles check toggling. - * - * @param string $check_id - * The ID of the check. - * - * @return \Symfony\Component\HttpFoundation\JsonResponse|\Symfony\Component\HttpFoundation\RedirectResponse - * The response. - */ - public function index($check_id) { - // Determine access type. - $ajax = $this->request->query->get('js') == 1; - - // Validate token. - $token = $this->request->query->get('token'); - if ($this->csrfToken->validate($token, $check_id)) { - // Toggle. - $check = $this->checklist->getCheckById($check_id); - if ($check != NULL) { - if ($check->isSkipped()) { - $check->enable(); - } - else { - $check->skip(); - } - } - - // Output. - if ($ajax) { - return new JsonResponse([ - 'skipped' => $check->isSkipped(), - 'toggle_text' => $check->isSkipped() ? $this->t('Enable') : $this->t('Skip'), - 'toggle_href' => Url::fromRoute( - 'security_review.toggle', - ['check_id' => $check->id()], - [ - 'query' => [ - 'token' => $this->csrfToken->get($check->id()), - 'js' => 1, - ], - ] - )->toString(), - ]); - } - else { - // Set message. - if ($check->isSkipped()) { - drupal_set_message($this->t( - '@name check skipped.', - ['@name' => $check->getTitle()] - )); - } - else { - drupal_set_message($this->t( - '@name check no longer skipped.', - ['@name' => $check->getTitle()] - )); - } - - // Redirect back to Run & Review. - return $this->redirect('security_review'); - } - } - - // Go back to Run & Review if the access was wrong. - return $this->redirect('security_review'); - } - -} diff --git a/web/modules/contrib/security_review/src/Form/RunForm.php b/web/modules/contrib/security_review/src/Form/RunForm.php deleted file mode 100644 index 16b50ba84..000000000 --- a/web/modules/contrib/security_review/src/Form/RunForm.php +++ /dev/null @@ -1,95 +0,0 @@ -checklist = $checklist; - } - - /** - * {@inheritdoc} - */ - public static function create(ContainerInterface $container) { - return new static( - $container->get('security_review.checklist') - ); - } - - /** - * {@inheritdoc} - */ - public function getFormId() { - return 'security-review-run'; - } - - /** - * {@inheritdoc} - */ - public function buildForm(array $form, FormStateInterface $form_state) { - if (!$this->currentUser()->hasPermission('run security checks')) { - return []; - } - - $form['run_form'] = [ - '#type' => 'details', - '#title' => $this->t('Run'), - '#description' => $this->t('Click the button below to run the security checklist and review the results.') . '
    ', - '#open' => TRUE, - ]; - - $form['run_form']['submit'] = [ - '#type' => 'submit', - '#value' => $this->t('Run checklist'), - ]; - - // Return the finished form. - return $form; - } - - /** - * {@inheritdoc} - */ - public function submitForm(array &$form, FormStateInterface $form_state) { - $batch = [ - 'operations' => [], - 'finished' => '_security_review_batch_run_finished', - 'title' => $this->t('Performing Security Review'), - 'init_message' => $this->t('Security Review is starting.'), - 'progress_message' => $this->t('Progress @current out of @total.'), - 'error_message' => $this->t('An error occurred. Rerun the process or consult the logs.'), - ]; - - foreach ($this->checklist->getEnabledChecks() as $check) { - $batch['operations'][] = [ - '_security_review_batch_run_op', - [$check], - ]; - } - - batch_set($batch); - } - -} diff --git a/web/modules/contrib/security_review/src/Form/SettingsForm.php b/web/modules/contrib/security_review/src/Form/SettingsForm.php deleted file mode 100644 index 5ba075772..000000000 --- a/web/modules/contrib/security_review/src/Form/SettingsForm.php +++ /dev/null @@ -1,282 +0,0 @@ -checklist = $checklist; - $this->security = $security; - $this->securityReview = $security_review; - $this->dateFormatter = $dateFormatter; - } - - /** - * {@inheritdoc} - */ - public static function create(ContainerInterface $container) { - return new static( - $container->get('config.factory'), - $container->get('security_review.checklist'), - $container->get('security_review.security'), - $container->get('security_review'), - $container->get('date.formatter') - ); - } - - /** - * {@inheritdoc} - */ - public function getFormId() { - return 'security-review-settings'; - } - - /** - * {@inheritdoc} - */ - public function buildForm(array $form, FormStateInterface $form_state) { - // Get the list of checks. - $checks = $this->checklist->getChecks(); - - // Get the user roles. - $roles = user_roles(); - $options = []; - foreach ($roles as $rid => $role) { - $options[$rid] = $role->label(); - } - - // Notify the user if anonymous users can create accounts. - $message = ''; - if (in_array(AccountInterface::AUTHENTICATED_ROLE, $this->security->defaultUntrustedRoles())) { - $message = $this->t('You have allowed anonymous users to create accounts without approval so the authenticated role defaults to untrusted.'); - } - - // Show the untrusted roles form element. - $form['untrusted_roles'] = [ - '#type' => 'checkboxes', - '#title' => $this->t('Untrusted roles'), - '#description' => $this->t( - 'Define which roles are for less trusted users. The anonymous role defaults to untrusted. @message Most Security Review checks look for resources usable by untrusted roles.', - ['@message' => $message] - ), - '#options' => $options, - '#default_value' => $this->security->untrustedRoles(), - ]; - - $form['advanced'] = [ - '#type' => 'details', - '#title' => $this->t('Advanced'), - '#open' => TRUE, - ]; - - // Show the logging setting. - $form['advanced']['logging'] = [ - '#type' => 'checkbox', - '#title' => $this->t('Log checklist results and skips'), - '#description' => $this->t('The result of each check and skip can be logged to watchdog for tracking.'), - '#default_value' => $this->securityReview->isLogging(), - ]; - - // Skipped checks. - $values = []; - $options = []; - foreach ($checks as $check) { - // Determine if check is being skipped. - if ($check->isSkipped()) { - $values[] = $check->id(); - $label = $this->t( - '@name skipped by UID @uid on @date', - [ - '@name' => $check->getTitle(), - '@uid' => $check->skippedBy()->id(), - '@date' => $this->dateFormatter->format($check->skippedOn()), - ] - ); - } - else { - $label = $check->getTitle(); - } - $options[$check->id()] = $label; - } - $form['advanced']['skip'] = [ - '#type' => 'checkboxes', - '#title' => $this->t('Checks to skip'), - '#description' => $this->t('Skip running certain checks. This can also be set on the Run & review page. It is recommended that you do not skip any checks unless you know the result is wrong or the process times out while running.'), - '#options' => $options, - '#default_value' => $values, - ]; - - // Iterate through checklist and get check-specific setting pages. - foreach ($checks as $check) { - // Get the check's setting form. - $check_form = $check->settings()->buildForm(); - - // If not empty, add it to the form. - if (!empty($check_form)) { - // If this is the first non-empty setting page initialize the 'details' - if (!isset($form['advanced']['check_specific'])) { - $form['advanced']['check_specific'] = [ - '#type' => 'details', - '#title' => $this->t('Check-specific settings'), - '#open' => FALSE, - '#tree' => TRUE, - ]; - } - - // Add the form. - $sub_form = &$form['advanced']['check_specific'][$check->id()]; - - $title = $check->getTitle(); - // If it's an external check, show its namespace. - if ($check->getMachineNamespace() != 'security_review') { - $title .= $this->t('%namespace', [ - '%namespace' => $check->getNamespace(), - ]); - } - $sub_form = [ - '#type' => 'details', - '#title' => $title, - '#open' => TRUE, - '#tree' => TRUE, - 'form' => $check_form, - ]; - } - } - - // Return the finished form. - return parent::buildForm($form, $form_state); - } - - /** - * {@inheritdoc} - */ - public function validateForm(array &$form, FormStateInterface $form_state) { - // Run validation for check-specific settings. - if (isset($form['advanced']['check_specific'])) { - $check_specific_values = $form_state->getValue('check_specific'); - foreach ($this->checklist->getChecks() as $check) { - $check_form = &$form['advanced']['check_specific'][$check->id()]; - if (isset($check_form)) { - $check->settings() - ->validateForm($check_form, $check_specific_values[$check->id()]); - } - } - } - } - - /** - * {@inheritdoc} - */ - public function submitForm(array &$form, FormStateInterface $form_state) { - // Frequently used configuration items. - $check_settings = $this->config('security_review.checks'); - - // Save that the module has been configured. - $this->securityReview->setConfigured(TRUE); - - // Save the new untrusted roles. - $untrusted_roles = array_keys(array_filter($form_state->getValue('untrusted_roles'))); - $this->securityReview->setUntrustedRoles($untrusted_roles); - - // Save the new logging setting. - $logging = $form_state->getValue('logging') == 1; - $this->securityReview->setLogging($logging); - - // Skip selected checks. - $skipped = array_keys(array_filter($form_state->getValue('skip'))); - foreach ($this->checklist->getChecks() as $check) { - if (in_array($check->id(), $skipped)) { - $check->skip(); - } - else { - $check->enable(); - } - } - - // Save the check-specific settings. - if (isset($form['advanced']['check_specific'])) { - $check_specific_values = $form_state->getValue('check_specific'); - foreach ($check_specific_values as $id => $values) { - // Get corresponding Check. - $check = $this->checklist->getCheckById($id); - - // Submit parameters. - $check_form = &$form['advanced']['check_specific'][$id]['form']; - $check_form_values = $check_specific_values[$id]['form']; - - // Submit. - $check->settings()->submitForm($check_form, $check_form_values); - } - } - - // Commit the settings. - $check_settings->save(); - - // Finish submitting the form. - parent::submitForm($form, $form_state); - } - - /** - * {@inheritdoc} - */ - protected function getEditableConfigNames() { - return ['security_review.checks']; - } - -} diff --git a/web/modules/contrib/security_review/src/Security.php b/web/modules/contrib/security_review/src/Security.php deleted file mode 100644 index 3104c86d7..000000000 --- a/web/modules/contrib/security_review/src/Security.php +++ /dev/null @@ -1,378 +0,0 @@ -securityReview = $security_review; - $this->moduleHandler = $module_handler; - $this->configFactory = $config_factory; - $this->kernel = $kernel; - } - - /** - * Returns the IDs of untrusted roles. - * - * If the module hasn't been configured yet, it returns the default untrusted - * roles. - * - * @return string[] - * Untrusted roles' IDs. - */ - public function untrustedRoles() { - // If the module hasn't been manually configured yet, return the untrusted - // roles depending on Drupal's actual configuration. - if (!$this->securityReview->isConfigured()) { - return static::defaultUntrustedRoles(); - } - - // Else return the stored untrusted roles. - return $this->securityReview->getUntrustedRoles(); - } - - /** - * Returns the default untrusted roles. - * - * The default untrusted roles are: - * Anonymous : always - * Authenticated : if visitors are allowed to create accounts. - * - * @return string[] - * Default untrusted roles' IDs. - */ - public function defaultUntrustedRoles() { - // Add the Anonymous role to the output array. - $roles = [AccountInterface::ANONYMOUS_ROLE]; - - // Check whether visitors can create accounts. - $user_register = $this->configFactory->get('user.settings') - ->get('register'); - if ($user_register !== USER_REGISTER_ADMINISTRATORS_ONLY) { - // If visitors are allowed to create accounts they are considered - // untrusted. - $roles[] = AccountInterface::AUTHENTICATED_ROLE; - } - - // Return the untrusted roles. - return $roles; - } - - /** - * Returns the permission strings that a group of roles have. - * - * @param string[] $role_ids - * The array of roleIDs to check. - * @param bool $group_by_role_id - * Choose whether to group permissions by role ID. - * - * @return array - * An array of the permissions untrusted roles have. If $groupByRoleId is - * true, the array key is the role ID, the value is the array of permissions - * the role has. - */ - public function rolePermissions(array $role_ids, $group_by_role_id = FALSE) { - // Get the permissions the given roles have, grouped by roles. - $permissions_grouped = user_role_permissions($role_ids); - - // Fill up the administrative roles' permissions too. - foreach ($role_ids as $role_id) { - $role = Role::load($role_id); - /** @var Role $role */ - if ($role->isAdmin()) { - $permissions_grouped[$role_id] = $this->permissions(); - } - } - - if ($group_by_role_id) { - // If the result should be grouped, we have nothing else to do. - return $permissions_grouped; - } - else { - // Merge the grouped permissions into $untrusted_permissions. - $untrusted_permissions = []; - foreach ($permissions_grouped as $permissions) { - $untrusted_permissions = array_merge($untrusted_permissions, $permissions); - } - - // Remove duplicate elements and fix indexes. - $untrusted_permissions = array_values(array_unique($untrusted_permissions)); - return $untrusted_permissions; - } - } - - /** - * Returns the permission strings that untrusted roles have. - * - * @param bool $group_by_role_id - * Choose whether to group permissions by role ID. - * - * @return array - * An array of the permissions untrusted roles have. If $groupByRoleId is - * true, the array key is the role ID, the value is the array of permissions - * the role has. - */ - public function untrustedPermissions($group_by_role_id = FALSE) { - return $this->rolePermissions($this->untrustedRoles(), $group_by_role_id); - } - - /** - * Returns the trusted roles. - * - * @return array - * Trusted roles' IDs. - */ - public function trustedRoles() { - // Get the stored/default untrusted roles. - $untrusted_roles = $this->untrustedRoles(); - - // Iterate through all the roles, and store which are not untrusted. - $trusted = []; - foreach (user_roles() as $role) { - if (!in_array($role->id(), $untrusted_roles)) { - $trusted[] = $role->id(); - } - } - - // Return the trusted roles. - return $trusted; - } - - /** - * Returns the permission strings that trusted roles have. - * - * @param bool $group_by_role_id - * Choose whether to group permissions by role ID. - * - * @return array - * An array of the permissions trusted roles have. If $groupByRoleId is - * true, the array key is the role ID, the value is the array of permissions - * the role has. - */ - public function trustedPermissions($group_by_role_id = FALSE) { - return $this->rolePermissions($this->trustedRoles(), $group_by_role_id); - } - - - /** - * Gets all the permissions. - * - * @param bool $meta - * Whether to return only permission strings or metadata too. - * - * @see \Drupal\user\PermissionHandlerInterface::getPermissions() - * - * @return array - * Array of every permission. - */ - public function permissions($meta = FALSE) { - // Not injected because of hard testability. - $permissions = \Drupal::service('user.permissions')->getPermissions(); - - if (!$meta) { - return array_keys($permissions); - } - return $permissions; - } - - /** - * Gets the list of unsafe HTML tags. - * - * @return string[] - * List of unsafe tags. - */ - public function unsafeTags() { - $unsafe_tags = [ - 'applet', - 'area', - 'audio', - 'base', - 'basefont', - 'body', - 'button', - 'comment', - 'embed', - 'eval', - 'form', - 'frame', - 'frameset', - 'head', - 'html', - 'iframe', - 'image', - 'img', - 'input', - 'isindex', - 'label', - 'link', - 'map', - 'math', - 'meta', - 'noframes', - 'noscript', - 'object', - 'optgroup', - 'option', - 'param', - 'script', - 'select', - 'style', - 'svg', - 'table', - 'td', - 'textarea', - 'title', - 'video', - 'vmlframe', - ]; - - // Alter data. - $this->moduleHandler->alter('security_review_unsafe_tags', $unsafe_tags); - - return $unsafe_tags; - } - - /** - * Gets the list of unsafe file extensions. - * - * @return string[] - * List of unsafe extensions. - */ - public function unsafeExtensions() { - $unsafe_ext = [ - 'swf', - 'exe', - 'html', - 'htm', - 'php', - 'phtml', - 'py', - 'js', - 'vb', - 'vbe', - 'vbs', - ]; - - // Alter data. - $this->moduleHandler - ->alter('security_review_unsafe_extensions', $unsafe_ext); - - return $unsafe_ext; - } - - /** - * Returns the site path. - * - * @return string - * Absolute site path. - */ - public function sitePath() { - return DRUPAL_ROOT . '/' . $this->kernel->getSitePath(); - } - - /** - * Finds files and directories that are writable by the web server. - * - * @param string[] $files - * The files to iterate through. - * @param bool $cli - * Whether it is being invoked in CLI context. - * - * @return string[] - * The files that are writable. - */ - public function findWritableFiles(array $files, $cli = FALSE) { - $writable = []; - if (!$cli) { - // Running from UI. - foreach ($files as $file) { - if (is_writable($file)) { - $writable[] = $file; - } - } - } - else { - // Get the web server's user data. - $uid = $this->securityReview->getServerUid(); - $gids = $this->securityReview->getServerGids(); - - foreach ($files as $file) { - $perms = 0777 & fileperms($file); - // Check write permissions for others. - $ow = ($perms >> 1) & 1; - if ($ow === 1) { - $writable[] = $file; - continue; - } - - // Check write permissions for owner. - $uw = ($perms >> 7) & 1; - if ($uw === 1 && fileowner($file) == $uid) { - $writable[] = $file; - continue; - } - - // Check write permissions for group. - $gw = ($perms >> 4) & 1; - if ($gw === 1 && in_array(filegroup($file), $gids)) { - $writable[] = $file; - } - } - } - return $writable; - } - -} diff --git a/web/modules/contrib/security_review/src/SecurityReview.php b/web/modules/contrib/security_review/src/SecurityReview.php deleted file mode 100644 index fafaa9c53..000000000 --- a/web/modules/contrib/security_review/src/SecurityReview.php +++ /dev/null @@ -1,329 +0,0 @@ -configFactory = $config_factory; - $this->config = $config_factory->getEditable('security_review.settings'); - $this->state = $state; - $this->moduleHandler = $module_handler; - $this->currentUser = $current_user; - } - - /** - * Returns whether the module has been configured. - * - * If the module has been configured on the settings page this function - * returns true. Otherwise it returns false. - * - * @return bool - * A boolean indicating whether the module has been configured. - */ - public function isConfigured() { - return $this->config->get('configured') === TRUE; - } - - /** - * Returns true if logging is enabled, otherwise returns false. - * - * @return bool - * A boolean indicating whether logging is enabled. - */ - public function isLogging() { - // Check for temporary logging. - if (static::$temporaryLogging !== NULL) { - return static::$temporaryLogging; - } - - return $this->config->get('log') === TRUE; - } - - /** - * Returns the last time Security Review has been run. - * - * @return int - * The last time Security Review has been run. - */ - public function getLastRun() { - return $this->state->get('last_run', 0); - } - - /** - * Returns the IDs of the stored untrusted roles. - * - * @return string[] - * Stored untrusted roles' IDs. - */ - public function getUntrustedRoles() { - return $this->config->get('untrusted_roles'); - } - - /** - * Sets the 'configured' flag. - * - * @param bool $configured - * The new value of the 'configured' setting. - */ - public function setConfigured($configured) { - $this->config->set('configured', $configured); - $this->config->save(); - } - - /** - * Sets the 'logging' flag. - * - * @param bool $logging - * The new value of the 'logging' setting. - * @param bool $temporary - * Whether to set only temporarily. - */ - public function setLogging($logging, $temporary = FALSE) { - if (!$temporary) { - $this->config->set('log', $logging); - $this->config->save(); - } - else { - static::$temporaryLogging = ($logging == TRUE); - } - } - - /** - * Sets the 'last_run' value. - * - * @param int $last_run - * The new value for 'last_run'. - */ - public function setLastRun($last_run) { - $this->state->set('last_run', $last_run); - } - - /** - * Stores the given 'untrusted_roles' setting. - * - * @param string[] $untrusted_roles - * The new untrusted roles' IDs. - */ - public function setUntrustedRoles(array $untrusted_roles) { - $this->config->set('untrusted_roles', $untrusted_roles); - $this->config->save(); - } - - /** - * Logs an event. - * - * @param \Drupal\security_review\Check $check - * The Check the message is about. - * @param string $message - * The message. - * @param array $context - * The context of the message. - * @param int $level - * Severity (RfcLogLevel). - */ - public function log(Check $check, $message, array $context, $level) { - if (static::isLogging()) { - $this->moduleHandler->invokeAll( - 'security_review_log', - [ - 'check' => $check, - 'message' => $message, - 'context' => $context, - 'level' => $level, - ] - ); - } - } - - /** - * Logs a check result. - * - * @param \Drupal\security_review\CheckResult $result - * The result to log. - */ - public function logCheckResult(CheckResult $result = NULL) { - if ($this->isLogging()) { - if ($result == NULL) { - $check = $result->check(); - $context = [ - '@check' => $check->getTitle(), - '@namespace' => $check->getNamespace(), - ]; - $this->log($check, '@check of @namespace produced a null result', $context, RfcLogLevel::CRITICAL); - return; - } - - $check = $result->check(); - - // Fallback log message. - $level = RfcLogLevel::NOTICE; - $message = '@name check invalid result'; - - // Set log message and level according to result. - switch ($result->result()) { - case CheckResult::SUCCESS: - $level = RfcLogLevel::INFO; - $message = '@name check succeeded'; - break; - - case CheckResult::FAIL: - $level = RfcLogLevel::ERROR; - $message = '@name check failed'; - break; - - case CheckResult::WARN: - $level = RfcLogLevel::WARNING; - $message = '@name check raised a warning'; - break; - - case CheckResult::INFO: - $level = RfcLogLevel::INFO; - $message = '@name check returned info'; - break; - } - - $context = ['@name' => $check->getTitle()]; - $this->log($check, $message, $context, $level); - } - } - - /** - * Deletes orphaned check data. - */ - public function cleanStorage() { - /** @var \Drupal\security_review\Checklist $checklist */ - $checklist = \Drupal::service('security_review.checklist'); - - // Get list of check configuration names. - $orphaned = $this->configFactory->listAll('security_review.check.'); - - // Remove items that are used by the checks. - foreach ($checklist->getChecks() as $check) { - $key = array_search('security_review.check.' . $check->id(), $orphaned); - if ($key !== FALSE) { - unset($orphaned[$key]); - } - } - - // Delete orphaned configuration data. - foreach ($orphaned as $config_name) { - $config = $this->configFactory->getEditable($config_name); - $config->delete(); - } - } - - /** - * Stores information about the server into the State system. - */ - public function setServerData() { - if (!static::isServerPosix() || PHP_SAPI === 'cli') { - return; - } - // Determine web server's uid and groups. - $uid = posix_getuid(); - $groups = posix_getgroups(); - - // Store the data in the State system. - $this->state->set('security_review.server.uid', $uid); - $this->state->set('security_review.server.groups', $groups); - } - - /** - * Returns whether the server is POSIX. - * - * @return bool - * Whether the web server is POSIX based. - */ - public function isServerPosix() { - return function_exists('posix_getuid'); - } - - /** - * Returns the UID of the web server. - * - * @return int - * UID of the web server's user. - */ - public function getServerUid() { - return $this->state->get('security_review.server.uid'); - } - - /** - * Returns the GIDs of the web server. - * - * @return int[] - * GIDs of the web server's user. - */ - public function getServerGids() { - return $this->state->get('security_review.server.groups'); - } - -} diff --git a/web/modules/contrib/security_review/src/Tests/CheckWebTest.php b/web/modules/contrib/security_review/src/Tests/CheckWebTest.php deleted file mode 100644 index 1f8a45235..000000000 --- a/web/modules/contrib/security_review/src/Tests/CheckWebTest.php +++ /dev/null @@ -1,74 +0,0 @@ -user = $this->drupalCreateUser( - [ - 'run security checks', - 'access security review list', - 'access administration pages', - 'administer site configuration', - ] - ); - $this->drupalLogin($this->user); - - // Get checks. - $this->checks = security_review_security_review_checks(); - } - - /** - * Tests Check::skip(). - * - * Checks whether skip() marks the check as skipped, and checks the - * skippedBy() value. - */ - public function testSkipCheck() { - foreach ($this->checks as $check) { - $check->skip(); - - $is_skipped = $check->isSkipped(); - $skipped_by = $check->skippedBy(); - - $this->assertTrue($is_skipped, $check->getTitle() . ' skipped.'); - $this->assertEqual($this->user->id(), $skipped_by->id(), 'Skipped by ' . $skipped_by->label()); - } - } - -} diff --git a/web/modules/contrib/security_review/src/Tests/ChecklistWebTest.php b/web/modules/contrib/security_review/src/Tests/ChecklistWebTest.php deleted file mode 100644 index dead35833..000000000 --- a/web/modules/contrib/security_review/src/Tests/ChecklistWebTest.php +++ /dev/null @@ -1,99 +0,0 @@ -checklist = \Drupal::getContainer() - ->get('security_review.checklist'); - - // Login. - $this->user = $this->drupalCreateUser( - [ - 'run security checks', - 'access security review list', - 'access administration pages', - 'administer site configuration', - ] - ); - $this->drupalLogin($this->user); - - // Populate $checks. - $this->checks = security_review_security_review_checks(); - - // Clear cache. - Checklist::clearCache(); - } - - /** - * Tests a full checklist run. - * - * Tests whether the checks hasn't been run yet, then runs them and checks - * that their lastRun value is not 0. - */ - public function testRun() { - foreach ($this->checks as $check) { - $this->assertEqual(0, $check->lastRun(), $check->getTitle() . ' has not been run yet.'); - } - $this->checklist->runChecklist(); - foreach ($this->checks as $check) { - $this->assertNotEqual(0, $check->lastRun(), $check->getTitle() . ' has been run.'); - } - } - - /** - * Skips all checks then runs the checklist. No checks should be ran. - */ - public function testSkippedRun() { - foreach ($this->checks as $check) { - $check->skip(); - } - $this->checklist->runChecklist(); - foreach ($this->checks as $check) { - $this->assertEqual(0, $check->lastRun(), $check->getTitle() . ' has not been run.'); - } - } - -} diff --git a/web/modules/contrib/security_review/templates/check_evaluation.html.twig b/web/modules/contrib/security_review/templates/check_evaluation.html.twig deleted file mode 100644 index 77f4509a2..000000000 --- a/web/modules/contrib/security_review/templates/check_evaluation.html.twig +++ /dev/null @@ -1,23 +0,0 @@ -{# -/** - * @file - * Default evaluation page template for checks. - * - * Available variables: - * - paragraphs: Array of paragraphs (strings) to show before the list. - * - items: Array of items (strings) to show in an unordered list after the paragraphs. - */ -#} - -{% for paragraph in paragraphs %} -

    - {{ paragraph }} -

    -{% endfor %} -{% if items is not empty %} -
      - {% for item in items %} -
    • {{ item }}
      • - {% endfor %} -
    -{% endif %} diff --git a/web/modules/contrib/security_review/templates/check_help.html.twig b/web/modules/contrib/security_review/templates/check_help.html.twig deleted file mode 100644 index 8b491cfff..000000000 --- a/web/modules/contrib/security_review/templates/check_help.html.twig +++ /dev/null @@ -1,19 +0,0 @@ -{# -/** - * @file - * Default check-specific help page template for checks. - * - * Available variables: - * - title: The title to show on the top of the page. - * - paragraphs: Array of paragraphs (strings) to show after the title. - */ -#} - -

    - {{ title }} -

    -{% for paragraph in paragraphs %} -

    - {{ paragraph }} -

    -{% endfor %} diff --git a/web/modules/contrib/security_review/templates/general_help.html.twig b/web/modules/contrib/security_review/templates/general_help.html.twig deleted file mode 100644 index 0b0168e44..000000000 --- a/web/modules/contrib/security_review/templates/general_help.html.twig +++ /dev/null @@ -1,42 +0,0 @@ -{# -/** - * @file - * Default general help page of Security Review. - * - * Available variables: - * - paragraphs: Array of paragraphs (strings) to show as an introduction. - * - items: Array of items (strings) to show in an unordered list after the - * paragraphs. - * - checks: Array of check links grouped by their namespaces. - */ -#} - -{% for paragraph in paragraphs %} -

    - {{ paragraph }} -

    -{% endfor %} -

    - {% trans %} - Check-specific help - {% endtrans %} -

    -

    - {% trans %} - Details and help on the security review checks. Checks are not always - perfectly correct in their procedure and result. Refer to drupal.org - handbook documentation if you are unsure how to make the recommended - alterations to your configuration or consult the module's README.txt for - support. - {% endtrans %} -

    -{% if checks is not empty %} - {% for check_namespace in checks %} -

    {{ check_namespace.namespace }}

    -
      - {% for check_link in check_namespace.check_links %} -
    • {{ check_link }}
      • - {% endfor %} -
    - {% endfor %} -{% endif %} diff --git a/web/modules/contrib/security_review/templates/run_and_review.html.twig b/web/modules/contrib/security_review/templates/run_and_review.html.twig deleted file mode 100644 index e6eac92c7..000000000 --- a/web/modules/contrib/security_review/templates/run_and_review.html.twig +++ /dev/null @@ -1,52 +0,0 @@ -{# -/** - * @file - * Default template for the Run & Review page. - * - * Available variables: - * - checks: Array of check informations. - * A check information consists of: - * - result: The check's result (string). - * - message: The result message. - * - help_link: The link to the check's help page. - * - toggle_link: The toggle link for the check. - * - skipped: Whether the check is skipped. - */ -#} - -

    - {% trans %} - Review results from last run {{ date }} - {% endtrans %} -

    -

    - {% trans %} - Here you can review the results from the last run of the checklist. Checks - are not always perfectly correct in their procedure and result. You can keep - a check from running by clicking the 'Skip' link beside it. You can run the - checklist again by expanding the fieldset above. - {% endtrans %} -

    - - - {% for check in checks %} - {% set style = '' %} - {% if check.result is defined %} - {% set style = style ~ ' ' ~ check.result %} - {% endif %} - {% if check.skipped %} - {% set style = style ~ ' skipped' %} - {% endif %} - - - - - - - {% endfor %} - -
    - {% if icons[check.result] is defined %} - - {% endif %} - {{ check.message }}{{ check.help_link }}{{ check.toggle_link }}
    diff --git a/web/modules/contrib/security_review/tests/modules/security_review_test/security_review_test.info.yml b/web/modules/contrib/security_review/tests/modules/security_review_test/security_review_test.info.yml deleted file mode 100644 index 5aeb68c70..000000000 --- a/web/modules/contrib/security_review/tests/modules/security_review_test/security_review_test.info.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: security_review_test -type: module -core: 8.x -package: Testing -dependencies: - - security_review diff --git a/web/modules/contrib/security_review/tests/modules/security_review_test/security_review_test.module b/web/modules/contrib/security_review/tests/modules/security_review_test/security_review_test.module deleted file mode 100644 index ae4400f8e..000000000 --- a/web/modules/contrib/security_review/tests/modules/security_review_test/security_review_test.module +++ /dev/null @@ -1,19 +0,0 @@ -createResult(CheckResult::INFO, $findings); - } - - /** - * {@inheritdoc} - */ - public function help() { - return []; - } - - /** - * {@inheritdoc} - */ - public function getMessage($result_const) { - return 'The test ran.'; - } - -} diff --git a/web/modules/contrib/security_review/tests/modules/security_review_test/src/TestNoStore.php b/web/modules/contrib/security_review/tests/modules/security_review_test/src/TestNoStore.php deleted file mode 100644 index 15a04cf7d..000000000 --- a/web/modules/contrib/security_review/tests/modules/security_review_test/src/TestNoStore.php +++ /dev/null @@ -1,26 +0,0 @@ -realChecks = security_review_security_review_checks(); - $this->testChecks = security_review_test_security_review_checks(); - $this->checks = array_merge($this->realChecks, $this->testChecks); - } - - /** - * Tests whether $checks is empty. - */ - public function testChecksExist() { - $this->assertFalse(empty($this->checks), 'Checks found.'); - } - - /** - * Every check should be enabled by default. - */ - public function testEnabledByDefault() { - foreach ($this->checks as $check) { - $this->assertFalse($check->isSkipped(), $check->getTitle() . ' is enabled by default.'); - } - } - - /** - * Tests some check's results on a clean install of Drupal. - */ - public function testDefaultResults() { - $defaults = [ - 'security_review-field' => CheckResult::SUCCESS, - ]; - - foreach ($this->checks as $check) { - if (array_key_exists($check->id(), $defaults)) { - $result = $check->run(); - $this->assertEquals($defaults[$check->id()], $result->result(), $check->getTitle() . ' produced the right result.'); - } - } - } - - /** - * Tests the storing of a check result on every test check. - */ - public function testStoreResult() { - foreach ($this->testChecks as $check) { - // Run the check and store its result. - $result = $check->run(); - $check->storeResult($result); - - // Compare lastResult() with $result. - $last_result = $check->lastResult(TRUE); - $this->assertEquals($result->result(), $last_result->result(), 'Result stored.'); - $this->assertEquals($result->time(), $last_result->time(), 'Time stored.'); - if ($check->storesFindings()) { - // If storesFindings() is set to FALSE, then these could differ. - $this->assertEquals($result->findings(), $last_result->findings(), 'Findings stored.'); - } - } - } - - /** - * Tests stored result correction on lastResult() call. - * - * Tests the case when the check doesn't store its findings, and the new - * result that lastResult() returns overwrites the old one if the result - * integer is not the same. - */ - public function testLastResultUpdate() { - foreach ($this->testChecks as $check) { - if (!$check->storesFindings()) { - // Get the real result. - $result = $check->run(); - - // Build the fake result. - $new_result_result = $result->result() == CheckResult::SUCCESS ? CheckResult::FAIL : CheckResult::SUCCESS; - $new_result = new CheckResult( - $check, - $new_result_result, - [], - TRUE - ); - - // Store it. - $check->storeResult($new_result); - - // Check if lastResult()'s result integer is the same as $result's. - $last_result = $check->lastResult(TRUE); - $this->assertEquals($result->result(), $last_result->result(), 'Invalid result got updated.'); - } - } - } - -} diff --git a/web/modules/contrib/security_review/tests/src/Kernel/ChecklistTest.php b/web/modules/contrib/security_review/tests/src/Kernel/ChecklistTest.php deleted file mode 100644 index 6172adcef..000000000 --- a/web/modules/contrib/security_review/tests/src/Kernel/ChecklistTest.php +++ /dev/null @@ -1,122 +0,0 @@ -checklist = \Drupal::getContainer() - ->get('security_review.checklist'); - $this->realChecks = security_review_security_review_checks(); - $this->testChecks = security_review_test_security_review_checks(); - $this->checks = array_merge($this->realChecks, $this->testChecks); - - Checklist::clearCache(); - $this->checkIDs = []; - foreach ($this->checks as $check) { - $this->checkIDs[] = $check->id(); - } - } - - /** - * Tests Checklist::getChecks(). - * - * Tests whether getChecks() contains all the checks that - * security_review_security_review_checks() and - * security_review_test_security_review_checks() returns. - */ - public function testChecksProvided() { - foreach ($this->checklist->getChecks() as $check) { - $this->assertTrue(in_array($check->id(), $this->checkIDs), $check->getTitle() . ' found.'); - } - } - - /** - * Tests whether checks returned by getEnabledChecks() are all enabled. - */ - public function testEnabledChecks() { - foreach ($this->checklist->getEnabledChecks() as $check) { - $this->assertFalse($check->isSkipped(), $check->getTitle() . ' is enabled.'); - - // Disable check. - $check->skip(); - } - Checklist::clearCache(); - $this->assertEquals(0, count($this->checklist->getEnabledChecks()), 'Disabled all checks.'); - } - - /** - * Tests Checklist's Check search functions. - * - * Tests the search functions of Checklist: - * getCheck(). - * getCheckById(). - */ - public function testCheckSearch() { - foreach ($this->checklist->getChecks() as $check) { - // getCheck(). - $found = $this->checklist->getCheck($check->getMachineNamespace(), $check->getMachineTitle()); - $this->assertEquals($check->id(), $found->id(), 'Found ' . $check->getTitle() . '.'); - - // getCheckById(). - $found = $this->checklist->getCheckById($check->id()); - $this->assertEquals($check->id(), $found->id(), 'Found ' . $check->getTitle() . '.'); - } - } - -} diff --git a/web/modules/contrib/security_review/tests/src/Kernel/SecurityReviewTest.php b/web/modules/contrib/security_review/tests/src/Kernel/SecurityReviewTest.php deleted file mode 100644 index 08066fa96..000000000 --- a/web/modules/contrib/security_review/tests/src/Kernel/SecurityReviewTest.php +++ /dev/null @@ -1,76 +0,0 @@ -installConfig(static::$modules); - $this->securityReview = \Drupal::getContainer()->get('security_review'); - } - - /** - * Tests the 'logging' setting. - */ - public function testConfigLogging() { - $this->assertTrue($this->securityReview->isLogging(), 'Logging enabled by default.'); - $this->securityReview->setLogging(FALSE); - $this->assertFalse($this->securityReview->isLogging(), 'Logging disabled.'); - } - - /** - * Tests the 'configured' setting. - */ - public function testConfigConfigured() { - $this->assertFalse($this->securityReview->isConfigured(), 'Not configured by default.'); - $this->securityReview->setConfigured(TRUE); - $this->assertTrue($this->securityReview->isConfigured(), 'Set to configured.'); - } - - /** - * Tests the 'untrusted_roles' setting. - */ - public function testConfigUntrustedRoles() { - $this->assertEquals([], $this->securityReview->getUntrustedRoles(), 'untrusted_roles empty by default.'); - - $roles = [0, 1, 2, 3, 4]; - $this->securityReview->setUntrustedRoles($roles); - $this->assertEquals($roles, $this->securityReview->getUntrustedRoles(), 'untrusted_roles set to test array.'); - } - - /** - * Tests the 'last_run' setting. - */ - public function testConfigLastRun() { - $this->assertEquals(0, $this->securityReview->getLastRun(), 'last_run is 0 by default.'); - $time = time(); - $this->securityReview->setLastRun($time); - $this->assertEquals($time, $this->securityReview->getLastRun(), 'last_run set to now.'); - } - -} diff --git a/web/sites/default/default.settings.php b/web/sites/default/default.settings.php index 0e7caa39a..5bcecc267 100644 --- a/web/sites/default/default.settings.php +++ b/web/sites/default/default.settings.php @@ -88,7 +88,7 @@ * ); * @endcode */ -$databases = array(); +$databases = []; /** * Customizing database settings. @@ -251,7 +251,7 @@ $databases = array(); * ); * @endcode */ -$config_directories = array(); +$config_directories = []; /** * Settings: @@ -263,23 +263,6 @@ $config_directories = array(); * @see \Drupal\Core\Site\Settings::get() */ -/** - * The active installation profile. - * - * Changing this after installation is not recommended as it changes which - * directories are scanned during extension discovery. If this is set prior to - * installation this value will be rewritten according to the profile selected - * by the user. - * - * @see install_select_profile() - * - * @deprecated in Drupal 8.3.0 and will be removed before Drupal 9.0.0. The - * install profile is written to the core.extension configuration. If a - * service requires the install profile use the 'install_profile' container - * parameter. Functional code can use \Drupal::installProfile(). - */ -# $settings['install_profile'] = ''; - /** * Salt for one-time login links, cancel links, form tokens, etc. * @@ -379,7 +362,7 @@ $settings['update_free_access'] = FALSE; * Specify every reverse proxy IP address in your environment. * This setting is required if $settings['reverse_proxy'] is TRUE. */ -# $settings['reverse_proxy_addresses'] = array('a.b.c.d', ...); +# $settings['reverse_proxy_addresses'] = ['a.b.c.d', ...]; /** * Set this value if your proxy server sends the client IP in a header @@ -573,10 +556,10 @@ if ($settings['hash_salt']) { * The "en" part of the variable name, is dynamic and can be any langcode of * any added language. (eg locale_custom_strings_de for german). */ -# $settings['locale_custom_strings_en'][''] = array( +# $settings['locale_custom_strings_en'][''] = [ # 'forum' => 'Discussion board', # '@count min' => '@count minutes', -# ); +# ]; /** * A custom theme for the offline page: @@ -630,7 +613,7 @@ if ($settings['hash_salt']) { * override in a services.yml file in the same directory as settings.php * (definitions in this file will override service definition defaults). */ -# $settings['bootstrap_config_storage'] = array('Drupal\Core\Config\BootstrapConfigStorageFactory', 'getFileStorage'); +# $settings['bootstrap_config_storage'] = ['Drupal\Core\Config\BootstrapConfigStorageFactory', 'getFileStorage']; /** * Configuration overrides.