Chapter 6. Safety in the Theme
An introduction to theming best practices and a review of some common mistakes
Drupal generally has a strong separation between the controlling system logic and the presentation layer. It is often referred to as being an example of the Model View Controller or Presentation-Abstraction-Control architectures. While it might be fun to debate the finer points of those architectures, their definitions, and which one Drupal follows (for the record, it's PAC), I'm concerned with a more pragmatic issue: making it easy for themes to be safe.
A recent analysis of a high-profile Drupal site by a well-regarded security firm found roughly 120 security issues: One was a weakness in Drupal core when combined with certain contributed modules, a handful were in other contributed or custom modules, and then all of the rest were in the custom theme that was created for the site. The theme can be a very easy place to introduce security holes, but it doesn't need to be.
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
