Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
10 Jan 2017 at 17:35 UTC
Updated:
8 Feb 2017 at 14:34 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
visabhishek commented1: Found XSS Issue : If I enter
<script>alert('XSS');</script>in Widget Text , its getting executed. You need to sanitize data before printing. For more information about sanitizing, please read https://www.drupal.org/node/28984.2: Please delete all variable used in module under hook_uninstall();
Example :
3: Please use t() for all user facing text.
Example :
Comment #3
jfurnas commentedComment #4
jfurnas commentedThank you for the valuable input. I went ahead and made the proposed changes.
Comment #5
PA robot commentedThere are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpsgitdrupalorgsandboxjfurnas2842452git
We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #6
jfurnas commentedFinally, after several iterations to comply with drupal standards, it should be ready for final review.
Comment #7
jfurnas commentedComment #8
jfurnas commentedComment #9
jfurnas commentedComment #10
jfurnas commentedComment #11
jfurnas commentedComment #12
klausiPlease don't remove the security tag, we keep that for statistics and to show examples of security problems.
Comment #13
jfurnas commented@klausi
I am sorry for removing the security tag. I wasn't aware that you did that. I will make note of it for the future.
Comment #14
satyam upadhyay commentedHi jfurnas,
Regards
Satyam
Comment #15
jfurnas commented#1, the script isn't being executed. It's converting the input-field to plain-text, which is what it should be doing, and #2 shouldn't be a 'cause for denial as it's a cosmetic issue not a functionality issue.
Comment #16
jfurnas commentedComment #17
klausimanual review:
Otherwise looks good to me.
Thanks for your contribution, Justin!
I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #18
jfurnas commented