The School of Arts and Sciences Information Security and Unix Systems (ISUS) regularly audits Drupal modules to ensure security and stability. Before modules can be installed on our production environments they must be reviewed by information security staff. While this review is not a surefire guarantee of security, it does insure a certain degree of safety in the module code. Modules are examined for compliance with the Drupal 7 secure coding guidelines as well as for common web application vulnerabilities (Cross Site Scripting, SQL injection, authentication bypass, remote code execution, file inclusion, information disclosure, etc.). Note that some modules are approved for use only with certain patches applied that address known vulnerabilities. Although Drupal 5 is no longer officially supported, it is still maintained by SAS computing. A list of Drupal 5 modules is available here (PennKey authentication required).
Drupal 8 security information is available at https://www.drupal.org/docs/8/security.
The following are a list of modules which have been audited by the Information Security Team:
Drupal 8 Approved Modules
- crop_api 8.x-1.2
- draggableviews 8.x-1.0
- image_widget_crop 8.x-2.0
- media_entity_image 8.x-1.2
- paragraphs 8.x-1.1
Drupal 7 Approved Modules
- admin_menu 7.x-3.0-rc
- auto_nodetitle 7.x-1.0
- autocomplete_deluxe 7.x-2.2
- block_class 7.x-2.3
- blockify 7.x-1.2
- borealis 7.x-2.2
- calendar 7.x-3.4
- captcha 7.x-1.1
- cnr 7.x-4.22
- coffee 7.x-2.2
- colorbox 7.x-2.10
- colorbox_node 7.x-3.5
- ctools 7.x-1.9
- custom_meta 7.x-1.3
- custom_search 7.x-1.14
- date 7.x-2.6
- date_ical 7.x-3.8 (requires iCalcreator v2.22)
- datepicker 7.x-1.x
- diff 7.x-3.2
- draggable views 7.x-2.0
- easy social 7.x-2.11
- email 7.x-1.2
- email_confirm 7.x-1.1
- entity 7.x-1.5
- entity_queue 7.x-1.1
- entityreference 7.x-1.1
- entityreference_filter (Views Reference Filter) 7.x-1.x
- eva: entity views attachment 7.x-1.2
- event_calendar 7.x-1.4
- extlink (External Links) 7.x-1.13
- fences 7.x-1.0
- field formatter 7.x-1.1
- field group 7.x-1.5
- flag 7.x-3.1
- global_redirect 7.x-1.5
- google_analytics 7.x-2.3
- google_tag_manager 7.x-1.0
- html5_media 7.x-1-1
- imce 7.x-1.7
- imce_wysiwyg 7.x-1.0
- inline_entity_form 7.x-1.8
- insert 7.x-1.3
- invisimail 7.x-1.1
- jcarousel 7.x-2.6
- jquery plugin 7.x-1.0
- jquery update 7.x-2.3
- link 7.x-1.1
- login_security 7.x-1.4
- media 7.x-1.4
- mediaelement 7.x-1.2
- mediafront 7.x-2.1
- media_dailymotion 7.x-1.1
- menu_attach_block 7.x-1.2
- menu_block 7.x-2.3
- menu_breadcrumb 7.x-1.3
- menu_position 7.x-1.1
- metatag_quick 7.x-2.9
- modernizr 7.x-3.9
- nivio_slider 7.x-1.11
- node_embed 7.x-1.2
- nodereference_url 7.x-1.12
- organic_groups 7.x-2.9
- overlay_paths 7.x-1.3
- panels 7.x-3.3
- password_policy 7.x-1.8
- passwordless 7.x-1.8
- pathauto 7.x-1.2
- print 7.x-1.3
- references 7.x-2.1
- registration 7.x-1.6
- rules 7.x-2.3
- rules_link 7.x-2.0
- scheduler 7.x-1.5
- security review 7.x-1.0
- sharethis 7.x-2.5
- smart_trim 7.x-1.5
- special_menu_items 7.x-2.0
- strongarm 7.x-2.0
- superfish 7.x-1.9
- taxonomy_menu 7.x-1.4
- themekey 7.x-3.2
- token 7.x-1.5
- view_unpublished 7.x-1.2
- views 7.x-3.14
- views_bulk_operations 7.x-3.3 (with patch)
- views_field_view 7.x-1.1
- views_gallerific 7.x-1.1
- views_natural_sort 7.x-1.4
- views_slideshow 7.x-3.0
- webform 7.x-4.10
- webform_component_roles 7.x-1.8
- workflow 7.x-1.2
- wysiwyg 7.x-2.2
- xmlsitemap 7.x-2.3
Drupal 6 Modules Listed Alphabetically
- ACL 6.x-1.2
- AddThis 6.x-2.10
- Admin 6.x-2.0
- Administration Menu 6.x-1.8
- Advanced Help 6.x-1.2
- Autocomplete Widgets 6.x-1.4
- Automatic NodeTitle 6.x-1.2
- Autosave 6.x-2.11
- BeautyTips 6.x-2.0
- Better Formats 6.x-1.2
- Better Exposed Filters 6.x-1.0
- Bibliography 6.x-1.13
- Block Class 6.x-1.3
- Browscap 6.x-1.5
- Calendar 6.x-2.4
- CAPTCHA 6.x-2.2
- CCK 6.x-2.8 (Content Construction Kit)
- Conditional Styles 6.x-1.2
- Content Access 6.x-1.2
- Content Profile 6.x-1.0
- Context 6.x-2.0
- Ctools 6.x-1.11
- Custom Breadcrumbs 6.x-1.6
- Date 6.x-2.8
- DHTML Menu 6.x-3.5
- Diff 6.x-2.1
- Disclaimer 6.x-1.5 with nyroModal 1.6.1
- Domain Access 6.x-2.7
- Easy Social 6.x-1.4
- Email Field 6.x-1.4
- Embedded Media Field 6.x-1.26
- External Links 6.x-1.11
- Feed API 6.x-1.8
- File Aliases 6.x-1.1
- File Force 6.x-2.3
- FileField 6.x-3.9
- FileField Paths 6.x-1.4
- Fieldgroup Tabs 6.x-1.2
- Flag 6.x-1.2
- Follow 6.x-1.5
- Footnotes 6.x-2.1
- Forum_Access 6.x-1.8
- Forward 6.x-1.21
- Global Redirect 6.x-1.5
- Gmap 6.x-1.1
- Google Analytics 6.x-2.2
- Hierarchical Select 6.x-3.2
- HTMLPurifier 6.x-2.4
- ImageAPI 6.x-1.9
- ImageCache 6.x-2.0-Beta10
- ImageField 6.x-3.9
- Image Resize Filter 6.x-1.9
- IMCE 6.x-1.2
- IMCE Wysiwyg Bridge 6.x-1.0
- Insert 6.x-1.1
- Invisimail 6.x-1.2
- JQuery AOP 6.x-1.0
- JQuery DropDown 6.x-1.2
- JQuery Plugin 6.x-1.10
- JQuery UI 6.x-1.3
- JQuery Update 6.x-1.1
- JS Alter 6.x-1.0
- Less 6.x-2.7
- Lightbox2 6.x-1.11
- Link 6.x-2.9
- Link Checker 6.x-2.4
- Location 6.x-3.1
- Login Security 6.x-1.3
- Lowername 6.x-1.1
- Menu Attributes 6.x-1.4
- Menu Block 6.x-2.3
- Menu Breadcrumb 6.x-1.3
- Menu per Role 6.x-1.8
- Menu Trails 6.x-1.1
- Messaging 6.x-2.4
- Meta Tags 6.x-1.0
- Mobile Tools 6.x-2.7
- Modal Frame API 6.x-1.3
- Modr8 6.x-1.1
- Module Grants 6.x-3.7
- Mollom 6.x-1.15
- Nice Menu 6.x-1.3 (with patch)
- Node Access User Reference 6.x-3.3
- Node Blocks 6.x-1.4
- Node Clone 6.x-1.3
- Node Reference Views 6.x-1.3
- Nodereference Count 6.x-1.1
- Nodereference URL 6.x-1.11
- Node Relationships 6.x-1.6
- Nodequeue 6.x-2.3
- Nodes in Block 6.x-1.6
- Notify 6.x-1.2
- Notifications 6.x-2.3
- oEmbed 6.x-0.8
- Organic Groups 6.x-2.1 (with patch)
- Panels 6.x-3.10
- Parser iCal 6.x-1.1
- Password Strength 6.x-1.0
- Path Auto 6.x-1.5
- Pathologic 6.x-3.4
- PennWebLogin 6.x-1.4
- PennWebLogin 6.x-1.5
- PHPMailer 6.x-2.2
- Pingback 6.x-1.0
- Print, e-mail and PDF versions 6.x-1.19
- Popups API 6.x-1.3
- Popups: Add and Reference 6.x-1.0
- Protected Node 6.x-1.2
- Publish Content 6.x-1.4
- Realname 6.x-1.5
- Region Manager 6.x-1.0
- reCAPTCHA 6.x-1.7
- Redirect 403 to User Login 6.x-1.4
- Reverse Node Reference 6.x-1.0
- Revisioning 6.x-3.14
- Rotor 6.x-2.5
- Rules 6.x-1.4
- Scheduler 6.x-1.7 (allows nodes to be published and unpublished at specific times via cron)
- Schema 6.x-1.7
- Search Config 6.x-1.6
- Search Restrict 6.x-1.3
- Sections 6.x-1.4
- Secure Pages 6.x-1.9
- Security Review 6.x-1.2
- Semantic Views 6.x-1.1
- Service Links 6.x-1.0 with patch
- Signup 6.x-1.0
- Site Map 6.x-1.2
- Skinr 6.x-1.6
- Strongarm 6.x-2.0
- Submenu Tree 6.x-1.6
- Tabs 6.x-1.3
- Tag Order 6.x-1.5
- Tagadelic 6.x-1.3
- Taxonomy Autotag 6.x-1.25
- Taxonomy Breadcrumb 6.x-1.1
- Taxonomy Lineage 6.x-1.0
- Token 6.x-1.18
- Twitter Pull 6.x-1.2
- Transliteration 6.x-3.0
- Upload Element6.x-1.2
- Video Filter 6.x-3.0
- Viewfield 6.x-1.2
- Views 6.x-2.16
- Views Accordion 6.x-1.3
- Views Attach 6.x-2.2
- Views Bonus Pack 6.x-1.0
- Views Galleriffic 6.x-1.1
- Views Slideshow 6.x-2.3
- Views Slideshow: Dynamic Display Block 6.x-2.0
- Views Tree 6.x-1.0
- Vocabulary Index 6.x-2.3
- Webform 6.x-3.20
- Webform Block 6.x-1.1
- Webform Component Roles 6.x-1.8
- Webform Rules 6.x-1.4
- Webform Validation 6.x-1.5
- Webform2PDF 6.x-2.2
- Wikitools 6.x-1.2 with patch
- workflow 6.x-1.4
- Wysiwyg 6.x-2.4
- WYSIWYG Filter 6.x-1.5
- WYSIWYG Image Map 6.x-1.0
- XMLSiteMap 6.x-1.2
Drupal 6 Modules by Function
Bibliography - allows for the input and auto formatting of bibliographic data and citations.
CCK - allows site administrators to create custom content types for the site.
Date - allows you to use date fields in your custom content types.
Diff - enables viewers to check the differences between revisions of certain content.
Email field - allows administrators to configure email fields as part of custom content types.
Embedded Media Field - provides an interface for including embedded media as part of a custom content type.
External Links - is a user interface module that allows administrators to place icons next to links and control how links to external websites are handled (for 508 compliance for instance).
File Aliases - allows uploaded files to be aliased (including URL's for download).
FileField - allows for files to be used in custom content types.
FileField Paths - is a utility module that can be used to specify paths and filenames for files as part of a custom content type.
Link - extends custom content types by providing a URL link field.
Lowername - is a database query optimization module.
Node Reference Views - Views integration with node references in custom content types.
Node Relationships - allows administrators to build connections between nodes.
Path Auto - provides automatic friendly URL's for content.
Popups API and Popups - enables site administrators to configure pop-up windows with content.
Publish Content - adds a "Publish/Unpublish" tab to the node page for one-click un/publishing.
Scheduler - adds new fields to content creation and editing fields so that content can be published and unpublished at specific times.
Taxonomy autotag - provides automatic tagging of content based on taxonomies.
Taxonomy Breadcrumb and Taxonomy Lineage - are organizational modules useful for grouping tags and taxonomy terms.
Messaging - The messaging framework is a back end API that allows passing of messages in several formats (via the website, over e-mail, and even IM)
Notifications - allows users to "subscribe" to updates for different content types and be alerted of new content of those types.
Notify - allows users to subscribe to periodic emails which include all new or revised content and/or comments much like the daily news letters sent by some websites.
PHPMailer - PHP Mailer is an extension that allows modules to utilize more dynamic mailing options (such as HTML e-mail).
Signup - Is designed to allow users to sign up to events and manage registrations. Includes restrictions by role.
Calendar - allows you to display and manage a calendar on your Drupal site.
Disclaimer - enables a pop up message in a shadowbox that is displayed to end users.
Flag - allows users to flag certain content (such as favorites).
Forward - provides a link so that users can forward content via e-mail to others.
Gmap - allows sites to display Google Maps.
Lightbox2 - enables Lightboxes, or custom pop up displays, for imagery on a site.
Location - is a geolocation and coding module that allows integration of such features with your Drupal site.
Meta Tags - allows customization of meta tags for pages and nodes.
Organic Groups - allows Drupal users to belong to various groups and enables site customizations on a per group basis.
Pingback - provides a pingback interface.
Print, email and PDF versions - puts text and/or graphical links for sending content by e-mail, printing nodes or generating PDF's of site content.
Sitemap - allows the creation of site maps for web spiders and easier navigation.
Tagadelic - provides a tag cloud and other taxonomy based functionality.
Webform, Webform2PDF and Webform Block - allow users to create dynamic web forms and collect form data on their site.
Wikitools - extends Drupal by providing collaborative content features similar to a wiki.
WYSIWYG - alters Drupal content creation forms to display a rich text editor instead of a plain text box.
ImageCache - enables image upload and dynamic manipulation for a site.
ImageField - provides an image field for custom content types.
Image Resize Filter - is a module that allows dynamic image resizing.
Views Galleriffic, Views Slideshow: Dynamic Display Block and Views Slideshow - are image based Views modules that assist in organization and display of imagery
Security and Protection
ACL - The access control module is actually just a API that provides support for the Content Access module
Content Access - This module allows you to set permissions, based on groups, on a per content type basis.
CAPTCHA and reCAPTCHA - allows you to place an image recognition test on forms to prevent automated posting and spam techniques.
HTMLPurifier - cleans up HTML code and strips out potentially dangerous code.
Invisimail - protects the HTML source of e-mail addresses in an attempt to prevent spammers from screen scraping e-mail addresses.
Login Security - rate limits logins to prevent password guessing attacks.
Mollom - is an anti-spam plugin.
Node Access User Reference - applies access control to nodes with user reference fields (custom content types) based on those user references.
Password Strength - this module enforces minimum password guidelines.
Protected Node - allows administrators to set a password on a specific node to control access.
Secure Pages - enforces HTTPS (SSL) communication when utilizing the Drupal administration pages.
BeautyTips - allows balloon style help tips to be displayed on a site.
Block Class - allows site administrators to change CSS attributes of blocks through the web interface.
Context - allows you to tailor site appearance based on specific areas of the site.
Custom Breadcrumbs - allows administrators to change the appearance of the default Drupal breadcrumb menu.
DHTML Menu - provides a mechanism to display mouse over animated menus for your site.
Domain Access - allows administrators to change the site appearance based on the domain name.
Hierarchical Select - enables dynamic menus.
Menu Block - allows administrators to display menus in Drupal blocks.
Menu Breadcrumb - allows customization of a menu breadcrumb trail.
Menu per Role - allows administrators to customize the menu display for users based on their roles.
Menu Trails - allows greater control over active menus.
Modal Frame API - provides integration between iframes and JQuery UI so that dynamic iframes can be displayed.
Nice Menu - provides for customization of menu displays.
Node Blocks - Allows nodes to be displayed inside Drupal blocks.
Panels - enables administrators to display content blocks in regions such as the front page to enable greater layout options.
Region Manager - this utility module allows for greater control in configuring Drupal blocks and display.
Rotor - is a useful module for displaying changing banners on a site.
Sections - provides an interface so that Drupal sites can be broken into separate areas, each with their own disply rules.
Tabs - allows for the diplay of tabs defined by field groups in custom content types.
Transliteration - is a display module useful for handling multilingual sites.
AddThis - allows you to add a set of links to social networking sites so that users can share links to content.
Service Links - puts links to popular content sharing sites on nodes.
Twitter Pull - this developer centric module provides an API so that other modules, themes, and templates can include Twitter feeds from specific users (@madirish2600 for instance) or even hash tags.
Content Profile - allows user profiles to be created as nodes for better integration with Drupal subsystems (such as search).
RealName - enables custom fields that can be used to generate names for users in addition to their Drupal usernames. Realnames can be displayed on the site instead of Drupal usernames.
Administration Menu - allows the addition of a handy menu of links placed in an unobtrusive black bar across the top of sites.
Advanced Help - allows you to include additional context sensitive help on your site.
Autocomplete Widgets - allows sites to populate widgets with predetermined values
Automatic NodeTitle - hides the title field in node creation forms and allows titles to be generated by Drupal.
AutoSave - This module allows nodes to be saved while they are being worked on. This module is buggy and may not always work.
Better Formats - allows for formatting options for data input fields.
Ctools - is a utility library used for powering many other modules (like Context and Panels).
File Force Download - is an extension module that allows file and image attachments to be downloaded rather than displayed.
Footnotes - provides an interface for content to include automatically generated footnotes.
Google Analytics - provides an easy interface to include Google Analytics on your site.
ImageAPI - allows the site to process images, though this module is mainly a helper module.
IMCE and IMCE Wysiwyg Bridge - are utility functions that extend the power of the rich content editor for end users.
JQuery Plugin, JQuery Update and JQuery UI - are modules that provide dynamic interfaces for various site interactions.
Link checker - evaluates links in your content to detect broken links.
Menu Attributes - allows administrators to set custom anchor tag attributes for menu entries
Modr8 - supplements workflow in content creation by providing easy content queues for moderation.
Rules - allows administrators to build complex cause/effect statement in the administrative back end.
Schema - is a database enumeration module.
Search config - allows administrators to change the way the Drupal advanced search form appears.
Search restrict - enables administrators to fine tune search results.
Strongarm - this is a developer centric module that provides an API for manipulating Drupal variables.
Tag order - allows fine tuned control over Drupal taxonomies.
Token - provides substitution tokens for auto generated content.
Upload Element - is a helper module that provides advanced interfaces for uploading files.
Views - is a module that allows administrators to provide grouped content for display.
Views Accordion, Views Attach, Views Bonus Pack and Views Tree- are all Views helper modules that provide new ways to utilize and display Views
Vocabulary Index - is a module that can be used to create an easy index of taxonomy terms.
Workflow - allows administrators to create complex rules to govern content creation and publication
Drupal 6 Themes
Please note that every effort is made to keep this list current, however, module bug fixes and updates may be made after a review is complete. In the case where a newer version of the module has been released, the revision must also be reviewed before it can be recommended as it is possible for new security vulnerabilities to be introduced as part of a fix or feature addition.