[D7] Chartist

Multiple Applications

It appears that there have been multiple project applications opened under your username:

Project 1: https://www.drupal.org/node/2795077

Project 2: https://www.drupal.org/node/2796389

As successful completion of the project application process results in the applicant being granted the 'Create Full Projects' permission, there is no need to take multiple applications through the process. Once the first application has been successfully approved, then the applicant can promote other projects without review. Because of this, posting multiple applications is not necessary, and results in additional workload for reviewers ... which in turn results in longer wait times for everyone in the queue. With this in mind, your secondary applications have been marked as 'closed(duplicate)', with only one application left open (chosen at random).

If you prefer that we proceed through this review process with a different application than the one which was left open, then feel free to close the 'open' application as a duplicate, and re-open one of the project applications which had been closed.

I'm a robot and this is an automated message from Project Applications Scraper.

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Hi,

Automated Review

There are some issues that automated test detected:
http://pareview.sh/pareview/httpsgitdrupalorgsandboxgraber2593245git
Look, if it need to be fixed.

Note that perfect adherence to Drupal Coding Standard is NOT a reason to block an application, except for total disregard of them. However, modules should follow them as closely as possible.

Manual Review

Individual user account

Yes: Follows the guidelines for individual user accounts.

No duplication

Yes: Does not cause module duplication and/or fragmentation.

Master Branch

Yes: Follows the guidelines for master branch.

Licensing

Yes: Follows the licensing requirements.

3rd party assets/code

Yes: Follows the guidelines for 3rd party assets/code.

README.txt/README.md

Yes: Follows the guidelines for in-project documentation and/or the README Template.

Code long/complex enough for review

Yes: Follows the guidelines for project length and complexity.

Secure code

Yes: Meets the security requirements.

Coding style & Drupal API usage

1. No issues found

The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.

If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.

This review uses the Project Application Review Template.

1. Please sanitize data values before display in front-end. If we pass some script as data to the chartist template it is getting execute in front-end while displaying chart. For example
   

   // Chartist bar chart.
     $output['bar_chart'] = array(
       '#theme' => 'chartist',
       '#title' => t('<script>alert("XSS 1");</script>'),
       '#chart_type' => 'Bar',
       '#data' => array(
         'series' => array(
           array(
             'name' => '<script>alert("XSS 2");</script>',
             'data' => array(60000, 40000, 80000, 70000),
           ),
           array(
             'name' => 'Serie 2',
             'data' => array(40000, 30000, 70000, 65000),
           ),
           array(
             'name' => 'Serie 3',
             'data' => array(8000, 3000, 10000, 6000),
           ),
         ),
         'labels' => array(
           'First quarter of the year',
         .
   	  .
   	  .
   	  .
     );
   

   This is vulnerable to XSS exploits. When it creates a dynamic chart with user entered data, then an attacker can execute arbitrary JS code. You need sanitize user provided text before directly printing to HTML. Make sure to read https://www.drupal.org/node/28984 again. If I'm right please don't remove the security tag, we keep that for statistics and to show examples of security problems.

2. Implement hook_requirements() to check availability of Chartist library.
3. Follow the Module documentation guidelines. Implement hook_help() and follow README-file template.

Removing 'PAReview: review bonus' tag. You can add it again with your three manual review links.

Thanks,
ARUN AK

Hi Graber,

Please find my comments below.

1. Module looks good. But some error identified by pareview which is related to coding standards needs to be fixed. It is recommended to fix it if it is not false positive.
2. In chartist_example_page callback function, please use #attached instead of drupal_add_css to include example.css file. Though it is just a example callback, it will lead other developers who are going to use this module theme to follow the same standard.
3. Any reason to have the folder which has chartist_init.js file in name "resources"? If not please rename the "resources" as "js" since it contains only js file.
4. In issue description, under "Manual reviews of other projects", please update the link with specific comment which you made in that issue. For example https://www.drupal.org/node/2795715#comment-11586783 .

Have fixed all the issues mentioned above. As this module is only providing an api to the chartist library, in future you can consider the implementation of work with Views api. It makes the chart integration easy and will reduce the coding effort for normal users.

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

no objections for more than a month, so ...

Thanks for your contribution, Graber!

I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.