Information Security Announcements
As stated in the Drupal configuration pages, "Improper text format configuration is a security risk."
Therefore, on websites hosted by SAS we require that input filters used by content editors meet strict security standards. We do not allow content editors to use full HTML to edit content. We ask our web developers to create an input filter for content editors that allows many commonly used tags without allowing full HTML. We typically call this input filter “Advanced Filtered HTML” or something similar (we find that the “Filtered HTML” filter that is there by default usually does not quite meet the needs of the content editors). This input filter should meet the following criteria:
- The role should be usable only by administrators and content editors, not authenticated or anonymous users
- The following filters should be enabled, in the following order: Limit allowed HTML tags; Convert line breaks into HTML; Convert URLs into links; Correct faulty and chopped off HTML
- Allowed HTML tags: <span> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><img><p><blockquote><br/><br><table><thead><th><tbody><tr><td><h2><h3><h4><h5><div>
- The Advanced Filtered HTML text format should be ranked 1st so that it is selected by default.
We prefer that the WYSIWYG editor should be TinyMCE, configured as follows:
- Enabled by default should be checked
- Do not check Allow users to choose default
- Enable/disable rich text toggle link
Buttons and Plugins:
- We prefer a minimalist approach – within a properly set up Drupal environment, the editors should not need to change the basic layout of the page very much. The following should be checked: Bold, numbered list, unlink, italic, block format, bullet list, styles (if supported in the CSS). Expand this list only with discretion. In some cases, paste from Word or clean-up is advisable. If you think your client needs other buttons for special need (for example, superscripts for academic citations) please consult with us.
- Typically toolbars are aligned to the top left, and the path location is at the bottom. The resizing button may be enabled.
Cleanup and output:
- Only Verify HTML and Remove line breaks should be checked. All others should remain unchecked.
- This is at the discretion of the developer and the specific site needs, but again, we recommend a minimalist approach. Typically we find it useful to give users the block formats p, h2, h3, h4, h5, h6, blockquote, div.
We have completed a security review of the jQuery Drop Down module (https://drupal.org/project/jquery_dropdown) version 6.x-1.2 and found no issues. This module has been updated to the new version in our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.
We have completed a security review of the Menu Trails module (http://drupal.org/project/menutrails) version 6.x-1.1 and found no issues. This module has been updated to the new version in our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.
We have completed a security review of the Submenu Tree module (http://drupal.org/project/submenutree) version 6.x-1.6 and found no issues. This module has been added to our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.
"The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. This helps search engines to more intelligently crawl a website and keep their results up to date. The sitemap created by the module can be automatically submitted to Ask, Google, Bing (formerly Windows Live Search), and Yahoo! search engines. The module also comes with several submodules that can add sitemap links for content, menu items, taxonomy terms, and user profiles." (http://drupal.org/project/xmlsitemap). The XMLSiteMap module version 6.x-1.2 has been approved and added to the list of approved modules accordingly (http://www.sas.upenn.edu/computing/drupal-approved-modules).
"The Node Reference URL Widget module adds a new widget to the Node Reference field type. It auto-populates a node reference field with a value from the URL, and does not allow this value to be changed once set. It can automatically provide a link on the referencing node types, that will contain the proper URL to prepopulate the field." (http://drupal.org/project/nodereference_url). We have reviewed the 6.x-1.11 version of the Nodereference URL module and approved it for use.
The Views Slideshow Dynamic Display Block (http://drupal.org/project/views_slideshow_ddblock) module "enables you to present content in a
dynamic way. For creating slideshow effects it uses the jQuery Cycle plug-in." We have reviewed the latest (2.x) branch of the module and approved it for use. The updated version of the module (6.x-2.0) has been installed on our environment and updates the previously installed 6.x-1.1 version of the module.
The latest version of the Embedded Media Field module (http://drupal.org/project/emfield) version 6.x-1.26 has been approved and installed on production servers. This update should be seamless for all sites currently using the previously approved version of the module.
On Tuesday, June 14th, Adobe issued updates to Adobe Flash Player to fix multiple security vulnerabilities. These updated versions are strongly recommended for all previous versions of Adobe Flash Player on both Windows and Mac OS.
The issues fixed by this update are now being exploited in the wild on a large scale. ISC strongly suggests that all users of Adobe Flash Player update to version 10.3.181.26 as soon as possible.
Adobe's security bulletin on these vulnerabilities is located here:
The direct download link for Adobe Flash Player 10.3.181.26 is located here:
The Supported Products and Supported Products for Providers pages for Adobe Flash Player have related information at: