[D7] Language Proficiency

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Hi Rajesh,

1. You need to use hook_help function for user's.
2. For language max length refer to below link :
https://en.wikipedia.org/wiki/List_of_language_names
3. In function language_proficiency_field_widget_form(), you should use IF ELSE instead of switch case since you have only one case.

Thanks
Rishabh

The code seems fine, I still haven't tested the module.

You need to look into whatever mentioned in #4.

Hi Rajesh.

I have installed the module. Create a field of type "language_proficiency".
In the field settings, I have set a default value in the "Name" textbox, and check the "write" checkbox under the "proficiency" dropdown.

Then I went to the node form. On the node form the "Name" field was empty, The default value is not there. and also the "write" checkbox was unchecked.

And also I am seeing the following notices on the node form.

    Notice: Undefined index: read in _language_proficiency_set_values() (line 181 of /var/www/drupal7/sites/all/modules/sandbox/language_proficiency/language_proficiency.module).
    Notice: Undefined index: read in _language_proficiency_set_values() (line 181 of /var/www/drupal7/sites/all/modules/sandbox/language_proficiency/language_proficiency.module).
    Notice: Undefined index: write in _language_proficiency_set_values() (line 182 of /var/www/drupal7/sites/all/modules/sandbox/language_proficiency/language_proficiency.module).
    Notice: Undefined index: write in _language_proficiency_set_values() (line 182 of /var/www/drupal7/sites/all/modules/sandbox/language_proficiency/language_proficiency.module).
    Notice: Undefined index: speak in _language_proficiency_set_values() (line 183 of /var/www/drupal7/sites/all/modules/sandbox/language_proficiency/language_proficiency.module).
    Notice: Undefined index: speak in _language_proficiency_set_values() (line 183 of /var/www/drupal7/sites/all/modules/sandbox/language_proficiency/language_proficiency.module).
    Warning: Illegal offset type in form_type_checkboxes_value() (line 2338 of /var/www/drupal7/includes/form.inc).

Please fix these issues.

Thanks

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

manual review:

1. What is the difference to existing projects such as https://www.drupal.org/project/term_level ? Please add that to the project page. Module duplication and fragmentation is a huge problem on drupal.org and we prefer collaboration over competition.
2. Project page is a bit short, see https://www.drupal.org/node/997024 to improve that.
3. The Git commits are not connected to your user account. You need to specify an email address. See https://www.drupal.org/node/1022156 and https://www.drupal.org/node/1051722
4. Why is the language field limited to 8 characters? How could I enter "Bulgarian" which has 9 characters?
5. This module has a security vulnerability and as part of our git admin training I'm assigning this to Manjit so that he can take a look. If he does not find anything I'm going to post exploit details in one week. And please don't remove the security tag, we keep that for statistics and to show examples of security problems.

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

@rajesh.vishwakarma Thanks for the contribution.

Automated Review

Best practice issues identified by pareview.sh : No.

Manual Review

Individual user account

Yes: follow the guidelines for individual user accounts.

No duplication

No: Causes module duplication and/or fragmentation. Please check the earlier comments by Klausi that how it is different from https://www.drupal.org/project/term_level ?

Master Branch

Yes: follow] the guidelines for master branch.

Licensing

Yes: follow the licensing requirements.

3rd party assets/code

Yes: follow the guidelines for 3rd party assets/code.

README.txt/README.md

Yes: follow the guidelines for in-project documentation and/or the README Template.

Code long/complex enough for review

Yes: follow the guidelines for project length and complexity.

Secure code

Not Meets the security requirements.

$element['language_proficiency']['language'] = array(
  '#type' => 'textfield',
  '#title' => t('Name'),
  '#default_value' => isset($value['language']) ? $value['language'] : '',
  '#required' => $element['#required'],
  '#size' => 8,
  '#attributes' => array('maxlength' => 8),
);

#default_value and user provided value is not properly sanitize to handle special characters. Please check https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/chec... and https://www.drupal.org/node/28984 to handle user provided data.

@Manjit: #default_value is sanitized automatically by the form API, so that is fine and should not be changed. If you think you found an XSS problem always try to exploit it to make sure there is an actual problem.

The security vulnerability is in theme_language_proficiency_formatter_language_proficiency_unformat() where the language value is printed unsanitized to HTML. If I enter <script>alert('XSS');</script> as language name then there will be a nasty javascript popup. Since the field length is only enforced as attribute on the language input field I can manipulate the submitted data to get something longer than 8 characters into the system.

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

Hi @rajesh,

This module works fine.

There is small recommendation find using Coder module :

Line 43: Potential problem: FAPI elements '#title' and '#description' only accept filtered text, be sure to use check_plain(), filter_xss() or similar to ensure your $variable is fully sanitized.
      '#title' => $element['#title'],

There is no other major blocker issue.

Thanks for your contribution, Rajesh!

I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.