Feed aggregator

Code Drop: Drupal Security Tips for Developers

Planet Drupal - Wed, 10/12/2014 - 05:30

I’ve recently been reviewing a few security related patches and it soon became apparent that many developers make the same mistakes over and over in regards to best practices for security in Drupal. So below, a very short post on the common mistakes and solutions.

Correct usage of t()

Use the right placeholder for t(). You should be using "% and @" which are both escaped to protect against Cross Site Scripting vulnerabilities. Whenever you use "!" as a placeholder, double check the content has already been escaped.

Escaping Output in #markup

If you’re providing a custom field, widget and formatter you need to make sure that any content coming from the admin is correctly escaped. For example, you’re implementing hook_field_formatter_view() and doing something like:

Categories: Elsewhere

Drupal governance announcements: DrupalSouth - Early Bird tix almost sold out!

Planet Drupal - Wed, 10/12/2014 - 02:26

There are only a few early bird tickets left. So if you want one, grab it now.


Categories: Elsewhere

Dirk Eddelbuettel: Wilco!!

Planet Debian - Wed, 10/12/2014 - 01:47

With a bit of luck due to a collegue having a spare ticket, I managed to make it to an awesome Wilco show at The Riviera in Uptown.

This concert was part of a set a six shows. Tweedy and the band were fast, and loose, and wonderful, and totally beloved by the home crowd. An truly outstanding show, and a great evening.

Also: I should get out more often. Last blog entry about Wilco was from 2005. Ouch.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

Dirk Eddelbuettel: RcppAnnoy 0.0.4

Planet Debian - Wed, 10/12/2014 - 01:29

A few weeks ago, RcppAnnoy had its initial release 0.0.2 and subsequent update in release 0.0.3. The latter brought Windows support, thanks to a neat pull request by Qiang Kou.

RcppAnnoy wraps the small, fast, and lightweight C++ template header library Annoy written by Erik Bernhardsson for use at Spotify. RcppAnnoy uses Rcpp Modules to offer the exact same functionality as the Python module wrapped around Annoy.

In the 0.0.3 release, I overlooked one thing: that with builds on Windows, we would also get builds against what CRAN calls R-oldrel: the previous release, which cannot turn on C++11 via the simple CXX_STD = CXX11 declaration in src/Makevars (and which we need because use of Boost brings in long long which R can only cope with under C++11 ...).

So this new release 0.0.4 does nothing more than add a constraint in a Depends: R (>= 3.1.0) to avoid builds not being able to turn on C++11.

Courtesy of CRANberries, there is also a diffstat report for this release. More detailed information is on the RcppAnnoy page page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

Pixelite: How to add subtabs under the User Edit tab in Drupal

Planet Drupal - Wed, 10/12/2014 - 01:00

To get your tabs to appear on the user edit page use hook_user_categories() and hook_menu_alter().

The detail

Getting submenu items to appear within the user edit area of Drupal has not always worked as I would expect from reading the documentation around hook_menu(). As it happens the user module provides hooks to make this quite simple.

hook_user_categories() allows you to return a subset of the parameters you’d expect to see in hook_menu().

In this example we would have a new set of tabs added to the User Edit page. The first is Account and is now presented because we have more than one tab here now. The second is Report Settings and it would have a URL like user/12345/edit/report_settings where report_settings is taken from the name parameter.

<?php /** * Implements hook_user_categories(). */ function my_module_user_categories() { return array( array( 'name' => 'report_settings', 'title' => t('Report settings'), 'weight' => 1, 'access callback' => 'user_edit_access', 'access arguments' => array(1), ) ); } ?>

At this point we have a new menu item presented as a tab on the user edit page and clicking it takes us to a blank form with a submit button. I think this is due to the way menu items can inherit behaviour from parent menu items. We’ll be wanting to overload that behaviour though and present our own form. This can be done through hook_menu_alter().

Checking the keys of the array passed to hook_menu_alter() we should find that we have a new one called user/%user_category/edit/report_settings. We can edit this one to point it at our preferred form built using the Form API as usual.

<?php /** * Implements hook_menu_alter(). */ function my_module_menu_alter(&$callbacks) { $callbacks['user/%user_category/edit/report_settings']['page arguments'] = array('my_module_user_report_settings', 1); // We need to set the file path as it defaults to the user module. $callbacks['user/%user_category/edit/report_settings']['file path'] = drupal_get_path('module', 'my_module'); $callbacks['user/%user_category/edit/report_settings']['file'] = 'my_module.user.inc'; } ?> Gotchas
  • You will want to be clearing your menu cache a lot while getting this working. Every edit will require a drush cc menu.
  • Ensure you have set the file path in the hook_menu_alter() if you have your have your page callback or form function for drupal_get_form() in a separate file.

If you have found that this post has been helpful ping me in the comments, on twitter (@Unifex) or on D.o at Gold.

Categories: Elsewhere


Subscribe to jfhovinne aggregator