Securing filter formats is one of the most important tasks when setting up a new site.

But sometimes when you inherit a site you find it wasn't done securely, or perhaps over time the format has gotten a bit lax and you want to make changes.

The Filter Format Audit module makes this task easy.

by
lee.rowlands
/ 18 May 2021

When you've got a lot of content, knowing whether the changes you want to make to your filter formats are going to cause any regressions in existing content has always been a bit of a 'try it and see approach'.

Now with the Filter Format Audit module, you can take out the guesswork and make sure your filter formats are secure enough to prevent attacks like Cross-site scripting, but permissive enough that you don't end up breaking existing content.

Features

Filter Format Audit lets you analyse your content to find where an input filter may be stripping out tags or attributes.

Use cases include:

• When you've changed your filter formats over time and need to identify existing content that is being impacted by the changes
• You've migrated content from another system and need to identify when tags/attributes are being stripped
• You had a lax filter format, and now need to make it secure

Configuration/Installation

1. Download and install the module like normal
2. Visit admin/content/filter-format-audit and hit 'run analysis'
3. Let it do its thing ⏳
4. Review the results and edit your formats/content as required
5. Rinse and repeat from step 2 onwards until you're happy ♻️

How it works

The module works by querying all fields that contain formatted text (e.g Text (Formatted), Text (Formatted, With Summary) where the value uses a filter-format that has the HTML Filter turned on.

It then applies the format to each field item via a batch callback

It keeps track of which tags and attributes were stripped and stores the result, as well as a link to the piece of content in a new Analysis Result content entity. Once analysis is done, the report shows a list of items where tags or attributes were stripped.

The module also provides some handy summary views of stripped tags and attributes, sorted by count. This is ideal for finding the low-hanging fruit.

The analysis report provides handy 'edit content' links to allow you to quickly edit content that needs updating. This is smart enough to know context of the edit. So for example if the text content lives in a paragraph, or an inline block via Layout Builder, the edit link takes you to the host entity. It can even work out if the content is in a paragraph, which is on an inline block, which is placed in Layout Builder. All of this is done cleanly via Entity-type handlers, so if your custom entity-type has unique requirements you should be able to add support.

Future steps

At present the module uses the currently configured filter-format for each piece of content, but we have plans to add support for simulating a format change.

See the issue queue for our future plans, and feel free to open an issue if you encounter any problems or have ideas for features.

Thank you to the NSW Department of Customer Service for sponsoring this work.

Tagged

Filter format, XSS, Drupal Security