- Issue created by @hongpong
Reminded by malicious imports from a wordpress site that got spammed in an attack in its body field. That ended up imported to Drupal!
Basically it would be nice if some security scan to catch obvious bad stuff in the XML files, could save people from problems sneaking in. It could also help determine if php-xml is exposed to entity attacks locally, which admins would probably be wise to think of before dumping tons of XML into their site which is potentially contaminated from drive by users.
1. It seems possible that malicious XML could be fed into the module files.
2. Separate issue could be embedded scripts particularly in comments as well. this would be embedded inside XML so may as well mention here.
1. test what happens with malicious XMLs embedded into a test import. a test import with malicious xml could be be created for testing.
2. a . option to lint the comments entries for script tags, css tags, eval statements? base64 encode statements? etc.
Active
3.0
Miscellaneous
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.