Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
10 Jan 2017 at 02:22 UTC
Updated:
7 Feb 2017 at 01:44 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
PA robot commentedFixed the git clone URL in the issue summary for non-maintainer users.
We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #3
ljcarnieri commentedComment #4
ljcarnieri commentedComment #5
ljcarnieri commentedComment #6
rajveergangwarI didn't found any issues , below are my manual review
Manual Review
Comment #7
rajveergangwarchanging status look like RTBC
Comment #8
ljcarnieri commentedComment #9
ljcarnieri commentedComment #10
visabhishek commentedComment #11
visabhishek commentedAutomated Review
https://pareview.sh/node/435
Manual Review
<script>alert('XSS');</script>, its getting executed(see the attached screenshot). You need to sanitize data before printing. For more information about sanitizing, please read https://www.drupal.org/node/28984.Example :
1: Title in following code :
The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.
This review uses the Project Application Review Template.
Comment #12
visabhishek commentedComment #13
fadonascimento commentedThanks a lot @rajveergang and @visabhishek for the review.
@visabhishek we fixed the following issues: 3rd party assets/code, README.txt/README.md, Secure code
This module is not duplication because the module webform_classes just add classes inside in each component, our module allows you to add any attributes to your form and their components, html5 attributes or custom attributes like a autocomplete, autofocus, contenteditable, data-XXXX, etc...
For example:
In admin page:
When render the component:
<input type="text" data-subject="physics" data-level="complex"/>And it's easy to manipulate attributes with javascript or modern framework javascript, in jQuery for example:
Comment #14
fadonascimento commentedComment #15
naiduharish commentedManual Review
You can assign arg() to variable in below code and use instead of using directly
as below
The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
Comment #16
naiduharish commentedComment #17
klausi@naiduharish: changing the usage of arg() is surely not an application blocker, anything else that you found or should this be RTBC instead?
Comment #18
murilomleandro commentedI also didn't found any issues. This will be very usefull for Bootstrap (data-target, data-dismiss) attributes, find below are my manual review
Manual Review
Individual user account
Yes: Follows the guidelines for individual user accounts.
No duplication
Yes: Does not cause module duplication and/or fragmentation.
Master Branch
Yes: Follows the guidelines for master branch.
Licensing
Yes: Follows the licensing requirements.
3rd party assets/code
Yes: Follows the guidelines for 3rd party assets/code.
README.txt/README.md
Yes: Follows the guidelines for in-project documentation and/or the README Template.
Code long/complex enough for review
Yes: Follows the guidelines for project length and complexity.
Comment #19
fadonascimento commentedThanks a lot @naiduharish for your review.
(2) - We fixed the issue about the arg() function, it's not a blocker but a good recomendation.
(1) - This module allows you to add any attributes to your form like a formnovalidate and their all components, not just in textarea, but also in textfield, email, selects, etc...
Thanks a lot @klausi for your time on reviewing my issue.
Comment #20
fadonascimento commentedComment #21
fadonascimento commentedComment #22
klausi@fadonascimento: looks like you assigned the wrong tag, should be without '#'.
And you have not done all manual reviews, you just posted the output of an automated review tool. Make sure to read through the source code of the other projects as requested on the review bonus page https://www.drupal.org/node/1975228
Comment #23
fadonascimento commentedThank you @murilomleandro for your time on reviewing my module.
Sorry for my mistake @klausi, I read the article and I will be following the template, Thanks a lot for your time on reviewing my issue tag.
Comment #24
fadonascimento commentedComment #25
fadonascimento commentedComment #26
fadonascimento commentedComment #27
rajveergangwarI tested this module , working fine
Comment #28
fadonascimento commentedThanks @rajveergang for your time on testing my module.
Comment #29
visabhishek commentedReview of the 7.x-1.x branch (commit e566c1c):
No automated test cases were found, did you consider writing Simpletests or PHPUnit tests? This is not a requirement but encouraged for professional software development.
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
Module looks good for me.
Thanks for your contribution, fadonascimento!
I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #30
fadonascimento commentedThanks a lot @visabhishek, I'll make a full release in soon.
Congratulations @visabhishek to the work you have been doing with a community.