Drupal coding: How to handle text in a secure fashion

When I did my first Unix system administration back in 1996 or so, I immediately did have a lot of respect for the beauty of Unix and system adminstrators who know, eat, sleep and dream Unix. Shortly after I got my first root prompt, there was this buzz, there was an option to bring down any Unix (and every other BSD TCP/IP stack) system with just one simple "ping command".

This was later knowns as the Ping of Death. This was an attack against the network layer of the OSI stack. Soon followed by even easier Denial of Service attacks like flood, smurf and the likes.

A couple of years later, attacks moved to a higher level, all the lower stuff was less easy to "hack". So we saw a lot of "buffer overlow" attacks in the late 90ies. This kind of attack is still happening, but most attention is now focussed to once again a higher level. So a couple of years back, we saw a lot of attacks on the application level.

For webservices, Cross Site Scripting (XSS) was the most used one. Most CMS-es, including better ones like Drupal did have these vulnabilities in them. And still, there are some Drupal modules that still have this kind of potential abuse in them. So when you do coding, it is not so hard to make code that can do what is should; match the functional requirements thet you or your customer defined. It is hard to make code that wont do what you dont want. Most customers are very good in describing what they want; to come up with a functional design. But nearly all of them fail to define what shouldnt be possible.

If you think you or your customer didnt define what shouldnt be possible, make sure you read the "How to handle text in a secure fashion" page on Drupal.org

When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done. Otherwise there might be bugs when users try to use angle brackets or ampersands, or worse you could open up XSS exploits.

In a year or two we will be done with these XSS exploits and label it as yesterdays news. But will we still suffer from "even higher" attacks like SQL injection with the automated test tools that are available for good or evil now?