For the last four years I’ve been working on a static site generator for Drupal called Tome. Unlike other generators Tome uses vanilla Drupal, which means that if you know how to build a Drupal site, you know how to build a Tome site One downside of this is that when comparing a default install...

   I’ve just published a new project for performing static application security testing SAST on Drupal sites, mortenson psalm plugin drupal. Using Psalm, custom plugins, funky scripts, and a lot of elbow grease, I think I have something that will help everyone write safer Drupal code.

   I’ve done quite a bit of security research for Drupal, and one area of exploitation that I often come back to is the AJAX API. Drupal’s AJAX API is built on top of jQuery, and lets developers easily add interactive behavior to the frontend.

   Drupal doesn’t have many SQL injection vulnerabilities anymore, at least not since the original Drupalgeddon was released into the wild. So what makes Drupal so safe Abstractions of course The database abstraction layer or DB layer is used throughout core and contrib to make all sorts of...

   There’s a feature in Drupal that not a lot of people know about, but is a great target for security research private files. Private files allow you to upload files to a non public directory on your server, then serve them through Drupal instead of through your HTTP server. Drupal is then able to...

   Recently I’ve started to pick up a new programming language, Go, but have struggled to absorb lessons from presentations and tutorials into practical knowledge. My preferred learning method is always to work on a real project, even if it means the finished work has loads of flaws.

   I’ve just finished re building my site using Tome and Single File Components SFC , two Drupal projects I maintain and wanted to test out on a real site. If you’re reading this post, you’re already on my new website Hope it’s working OK so far.

   I’ve been thinking about ways to make Drupal frontend easier recently, and have been working on an experimental module called Single File Components SFC , which lets you put your CSS, JS, Twig, and PHP in one file. If you want to skip the blog you can just check out the project at https...

   As a part of my ongoing work on Tome, a Drupal static site generator, I’ve become interested in providing a solution for static searches. If you have a static site there’s typically no backend to do any server side processing, which means that search has to be done on the client or through a third...

   Six months ago I started work on Tome, a static site generator for Drupal . After lots of rewrites and long nights, Tome has finally reached the beta phase of testing and development Up until now, I haven’t invested a lot of time in communicating what I’m doing, why I made Tome, or why static...

   Note: This exploit was fixed over a year ago as a part of SA CORE CVE , so unless your Drupal site is really, really out of date, you should not be affected. When I do security research on Drupal core, I tend to focus on one class of vulnerability and pursue that until I find...

   I recently celebrated my five year anniversary on Drupal.org, and wanted to write about how I work on issues day to day and my general contribution vibe . My Drupal.org account was created the week I started working at Acquia as a part of their employee on boarding, and I only really used it to...

   Last week I published the Twig Components Drupal module the latest in a series of projects aiming to combine Twig, Web Components, and PHP. I wanted to write about why I’m doing this work, and why developers should care.

   In the world of web security, cross site scripting XSS vulnerabilities are extremely common, and will continue to be a problem as web applications become increasingly complex. According to a report by Bugcrowd, a popular bug bounty site, XSS vulnerabilities account for of valid...

   Note: The exploit discussed in this post was never included in a stable core release, so don’t freak out The Drupal security team quickly fixed this while . .x was still in development. One method I commonly use when auditing Drupal code is to find routes that are accessible to anonymous users,...

   Drupal Advent Calendar day Markdown Easy james Sun, : Welcome back to day of the Drupal Advent Calendar. Behind today’s door Mike Anello ultimike introduces us to the Markdown Easy module.I’m Mike Anello from DrupalEasy and I’m the...

   Drupal Advent Calendar day Subpathauto and Friends james Sat, : Welcome to the second day of the Drupal Advent Calendar. Behind today’s door, Josh Mitchell joshuami tells us about the Subpathauto module, and some neat tricks when using...

   Proprietary vs. Open Source CMSs Michael J. Ross If and when your organization needs a new website, in most cases the best approach is to build it upon a content management system CMS , which is like a framework that allows the website owner to easily add...

   Check out what went down at Drupal Camp in Costa Rica Get insights into sessions and stories from tech folks. It’s a peek into Costa Rica’s tech world something you don’t wanna miss

   Introducing Calendar View Module: a lightweight tool by Matthieu Scarset, that streamlines the complex process of calendar creation in Drupal. With a focus on simplicity, this module offers a user friendly approach, allowing even those with limited technical expertise to effortlessly build...

   Drupal Advent Calendar day Gin Admin Theme james Fri, : Welcome to the Drupal Advent Calendar. Behind today’s door, we find the Gin Admin Theme, with a fantastic write up by Ludovic Favre Grumpy .Since Drupal , Claro has been the...

   Takeaway: Securing data is a continuous process, not just a one time action. When we talk about CMS migration, especially for sites with sensitive information, the focus should be as much on keeping data safe during the move as on ensuring its ongoing security afterward. As someone deeply involved...

   Suchi’s Rules as Code presentation Suchi’s presentation provides information about two Rules as Code implementations, both using OpenFisca and Drupal, including an OpenFisca Drupal module that integrates OpenFisca with a Drupal webform. Akhil’s CivicTheme presentation Akhil’s presentation looks at...

   The Technical Working Group TWG is announcing two coding standards changes for final discussion. Feedback will be reviewed at the meeting scheduled for Wednesday December UTC. Issues for discussion New coding standard: Code style for declare strict types ; Argument lists for function...

   I have seen some chatter lately about folks asking how to access the Solr admin interface over HTTPS instead of HTTP connection in DDEV. Enabling this is a simple change to the docker compose.solr.yaml file in the .ddev directory.In the file, make the following changes under the environment section:

   Maximizing website engagement and interactivity is a major goal of all marketers. However, the management of multitudinous third party integrations and tracking tools is a laborious task. Gladly, Google created Google Tag Manager to simplify the complicated lives of marketing teams worldwide. It...

   This podcast series focuses on the strategies involved in upgrading and migrating Drupal websites and applications. Read more michaelemeyers Tue, :

   There’s so much going on in the world of Drupal migrations. Drupal reached its End Of Life EOL on November, . Drupal will reach EOL by January final extension . Drupal was released back in December and its current version, . . was released on November, . More than...

   READ MORE

   We’re proud to announce the release of vite plugin twig drupal, a plugin for Vite that we hope will improve your workflow for front end development with Drupal. by lee.rowlands November The problem spaceYou’re working with Twig in a styleguide driven development process....