Heine

To more efficiently review code changes in Drupal I've decided to write a little bot that regularly reads the RSS feed of Drupal core commits. It then downloads the referenced patches and creates new content on this site (example) under the category Drupal Core.

As this is a taxonomy term, it comes with the Drupal benefit (tm) of an RSS feed, I now use to quickly review commits to core.

I've written before about (ab)using %s in IN clauses such as:

The problem with such a query is that you open the possibility that a code path develops where unfiltered content ends up in the variable and thus in your query.
Here's a simplified, real life example where this happened during a bugfix.

Adapted from a mail I sent to the Drupal development list.

Porting a module is an excellent opportunity to keep an eye out for security problems (evidence: DRUPAL-SA-2006-031). Here's a quick security reminder regarding input (user-supplied data). Code samples are only included to make a point, do not hold them against me.

For those with the tendency to downplay cross site scripting (XSS) vulnerabilities, a small videocast on how a vulnerability in the contributed module Recipe can get an attacker administrator access to a Drupal site. The vulnerability was fixed with DRUPAL-SA-2006-014 a long time ago, so I feel it's safe to publish the video now.

» Videocast.