This module allows administrators to customize a theme's JS through the browser, using a rich text editor with syntax highlighting.

On the settings page of each theme it will be displayed a textarea where the admin can type custom Javascript code.
The feature can be enabled to multiple themes on the same site.

Project link

https://www.drupal.org/project/js_editor

Git instructions

git clone --branch 1.0.x https://git.drupalcode.org/project/js_editor.git

PAReview checklist

http://pareview.net/r/149

Comments

marco.aresu created an issue. See original summary.

marco.aresu’s picture

marco.aresu commented
Issue summary: View changes
avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Title: [D8],[D9] Javascript Editor » [D9] Javascript Editor
Category: Plan » Task
Issue summary: View changes
Issue tags: -JavaScript, -developer

Thank you for applying!
Remember to change status, when the project is ready for review, as in this queue Active means Don't review yet the project I am using for this application.

marco.aresu’s picture

marco.aresu commented
Status: Active » Needs review
keen-on.digital’s picture

keen-on.digital commented

@marco.aresu Please add the advantage of using this module over other modules that provide similar functionality. eg: Asset Injector

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Needs review » Needs work
marco.aresu’s picture

marco.aresu commented
Status: Needs work » Needs review

Javascript Editor is similar to Asset Injector
The advantages compared to Asset Injector are:

  • Configuration is available in the theme settings. This allows users to isolate the settings in the configuration theme page.
  • Javascript Editor is similar to CSS Editor. Javascript Editor and CSS Editor have the same configuration page.
klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Needs review » Needs work
Issue tags: +PAreview: security

Thanks for you contribution!

manual review:

  1. js_editor_form_system_theme_settings_alter(): You are allowing an admin user to inject arbitrary Javascript into a Drupal site. They could store an XSS attack in the Javascript there, so you need to protect this action with a permission where the admin can already compromise the site. In Drupal we do this with the "restrict access" option on a permission. As far as I can see the theme settings form is only protected with the "administer themes" permission which does not have that restrict option set. It is probably best if you create your own permission like "execute arbitrary js_editor scripts" and enforce that with the #access property in your additional form elements. This is currently a security blocker.
  2. JsEditorThemeNegotiator: the class doc block repeat the class name in the second sentence, I think that line can be removed?
  3. JsEditorThemeNegotiator: why do you need this class? You are not changing the active theme in any way, so it could be removed?
  4. config schema is missing for config object, see https://www.drupal.org/docs/8/api/configuration-api/configuration-schema...
marco.aresu’s picture

marco.aresu commented
Status: Needs work » Needs review

Thanks @klausi
I made the changes you suggested:

  1. The permission "execute arbitrary js_editor scripts" has ben added . The permission is used in additional form
  2. The class JsEditorThemeNegotiator has been removed
  3. The config schema has been added

The changes are available in dev module version.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Priority: Normal » Critical

I changed the issue priority as described on Review process for security advisory coverage: What to expect / Application Review Timelines.

To reviewers: Please change back the priority to Normal after reviewing the project.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Priority: Critical » Normal
Status: Needs review » Reviewed & tested by the community

The points reported in #8 have been fixed.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Status: Reviewed & tested by the community » Fixed

Thank you for your contribution! I am going to update your account.

These are some recommended readings to help with excellent maintainership:

You can find more contributors chatting on the IRC #drupal-contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

I thank all the dedicated reviewers as well.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.