Karanbir Singh wrote:
Ned Slider wrote:
We (in my day job) see the same security issues for Joomla based sites when modules are used to extend core functionality. Site developers/owners are quick to extend functionality by installing additional plugins but then don't want the responsibility of maintaining multiple packages/plugins on the server. It just adds a further layer of complexity as any plugins need to also be separately monitored (and maintained) for security updates.
Drupal 6 core has a built-in Update Status feature to keep the site admin up to date with new releases (contributed modules and security releases). It synchronizes with drupal.org and warns you when there are new releases for your modules. The update path is fairly easy and automated. using cvs to check out Drupal and its modules can save you a lot of time.
yes, and its things like this :
which are quite scary.
This is what happens when you don't use the Drupal API http://api.drupal.org/, which saves the developers from having to worry about common security issues like XSS, CSRF, SQL injection etc. In that way it's very quick to evaluate the quality of a module: you just need to check whether they make good use of the API or not...