The Staging Widget module creates a floating widget on your site to make it easy to identify a staging site from a production site. There are configuration options available to specify the location of the widget on the page, as well as the text that displays on the widget.

This is similiar to the Environment Indicator module, in that it displays an indicator on your site. The key difference being that it creates a 'floating' (and configurable) box on your screen as opposed to a bar. This allows for more visibility on the site.

CommentFileSizeAuthor
#18 Selection_010.png32.45 KBjfurnas

Comments

jfurnas created an issue. See original summary.

visabhishek’s picture

Status: Needs review » Needs work
Issue tags: +PAreview: security

1: Found XSS Issue : If I enter <script>alert('XSS');</script> in Widget Text , its getting executed. You need to sanitize data before printing. For more information about sanitizing, please read https://www.drupal.org/node/28984.

function staging_widget_page_build(&$page) {

  $markup = '
    <div id="testing" aria-label="Staging Site Indicator">
      <span>'.variable_get('staging_widget_text','STAGING SITE').'</span>
    </div>';

  $page['page_bottom']['staging_widget'] = array(
    '#attached' => array(),
    '#markup' => $markup,
  );

2: Please delete all variable used in module under hook_uninstall();
Example :

variable_set('staging_widget_text',$form_state['values']['staging_text']);
variable_set('staging_widget_top_position',$form_state['values']['staging_top_position']);
  

3: Please use t() for all user facing text.
Example :

drupal_set_message('Widget settings updated!');
jfurnas’s picture

Status: Needs work » Needs review
jfurnas’s picture

Thank you for the valuable input. I went ahead and made the proposed changes.

PA robot’s picture

Status: Needs review » Needs work

There are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpsgitdrupalorgsandboxjfurnas2842452git

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

jfurnas’s picture

Finally, after several iterations to comply with drupal standards, it should be ready for final review.

jfurnas’s picture

Status: Needs work » Needs review
jfurnas’s picture

Issue tags: -PAreview: security
jfurnas’s picture

Issue summary: View changes
jfurnas’s picture

Issue summary: View changes
jfurnas’s picture

Issue tags: +PAreview: review bonus
klausi’s picture

Issue tags: +PAreview: security

Please don't remove the security tag, we keep that for statistics and to show examples of security problems.

jfurnas’s picture

@klausi

I am sorry for removing the security tag. I wasn't aware that you did that. I will make note of it for the future.

satyam upadhyay’s picture

Status: Needs review » Needs work

Hi jfurnas,

  1. Fix the #2 that is found by @visabhishek this is still getting executed like https://www.screencast.com/t/Y2vMcHJOu
  2. Update (div id="testing") with some meaningful #id see this https://www.screencast.com/t/DR0OKbfN

Regards
Satyam

jfurnas’s picture

#1, the script isn't being executed. It's converting the input-field to plain-text, which is what it should be doing, and #2 shouldn't be a 'cause for denial as it's a cosmetic issue not a functionality issue.

jfurnas’s picture

Status: Needs work » Needs review
klausi’s picture

Status: Needs review » Fixed

manual review:

  1. project page: what are the differences to existing projects such as https://www.drupal.org/project/environment_indicator ? Can you provide a screenshot how your widget looks like? See also https://www.drupal.org/node/997024
  2. "package = CEN Modules": what are CEN modules? Why this package?
  3. staging_widget_menu(): why the permission "administer users"? That does not seem to really fit? Did you mean "administer site configuration" instead?
  4. staging_widget_page(): this function can be removed if you use drupal_get_form as page callback in hook_menu(). See node_menu() for examples.

Otherwise looks good to me.

Thanks for your contribution, Justin!

I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.

jfurnas’s picture

Issue summary: View changes
StatusFileSize
new32.45 KB

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.