Share buttons for Drupal including the E-MAILiT sharing button, Facebook, Twitter, Pinterest, WhatsApp, Viber, Skype, Telegram, and many more.
E-MAILiT is a powerful social sharing platform and an awesome marketing web tool for your website. You can find out much more in our website https://www.e-mailit.com
project page: https://www.drupal.org/sandbox/e-mailit/2667034
GIT COMMAND FOR CLONE
git clone --branch 7.x-1.x https://git.drupal.org/sandbox/E-MAILiT/2667034.git e_mailit_sharing_buttons
Manual reviews of other projects
Comment | File | Size | Author |
---|---|---|---|
#29 | js-error.png | 44.11 KB | visabhishek |
#27 | coder-results.txt | 96.18 KB | klausi |
Comments
Comment #2
PA robot CreditAttribution: PA robot commentedThere are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpgitdrupalorgsandboxE-MAILiT2667034git
Fixed the git clone URL in the issue summary for non-maintainer users.
We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #3
Dave Bagler CreditAttribution: Dave Bagler commentedLooked through the code here's my thoughts:
Please add a
README.txt
orREADME.md
file.The optional files property of the info file is for autoloading class and interface declarations. The three referenced files (
emailit.admin.inc
,emailit.install
andemailit.module
) don't include class or interface declarations so I recommend removing thefiles[]
lines from the info file.The install hook is empty so I recommend removing it.
You set a lot of variables with the administration form. Each of the set variables should be deleted in your module's uninstall hook.
Comment #4
E-MAILiT CreditAttribution: E-MAILiT commentedThank you very much for the suggestions.
We've made all the changes.
Please review the project.
Thank you in advance.
Comment #5
Arkener CreditAttribution: Arkener as a volunteer commentedAUTOMATED REVIEW:
Please take a look at the automated review as the bot has stated: http://pareview.sh/pareview/httpgitdrupalorgsandboxe-mailit2667034git
MANUAL REVIEW:
emailit.admin.inc
Lines 12-16
Use #attached instead of drupal_add_js and drupal_add_css
emailit.module
Line 46: Replace the magic number 1 by NODE_PUBLISHED
Line 111-208: This entire function is full of XSS exploits, you should sanitize each open variable get that is loaded from an open input field, for example: Add the following code to the TWEET VIA (your Twitter username) (emailit_TwitterID) field:
'}; alert('XSS'); var e_mailit_config = {display_counter:false,TwitterID:'test
Line 243: This is also XSS issue, for example: Add the following code to the Services [ Service Codes ] emailit_default_buttons field:
Facebook,Twitter,Pinterest,LinkedIn,"><script>alert('Test');</script><span class="
For more information about sanitizing, please read https://www.drupal.org/node/28984.
Please don't remove the security tag, we keep that for statistics and to show examples of security problems.
Comment #6
E-MAILiT CreditAttribution: E-MAILiT commentedWe've made the required fixes.
Please review the project.
Thank you in advance.
Comment #7
E-MAILiT CreditAttribution: E-MAILiT commentedPlease review the project so we can promote it to full.
Thanks in advance.
Comment #8
E-MAILiT CreditAttribution: E-MAILiT commentedWe have fixed all errors reported by automated review tools.
Please review the project.
Comment #9
sourabhutani CreditAttribution: sourabhutani as a volunteer and at Kellton Tech Solutions Ltd commentedAutomated Review
There is some coding standard errors to fix : http://pareview.sh/pareview/httpgitdrupalorgsandboxe-mailit2667034git
Individual user account
Yes
Duplication
No
Master Branch
Yes. Branch 7.x-1.x
Licensing
Yes. Follow
3rd party assets/code
Yes follow. Do not contains any 3dr party.
README.txt/README.md
Yes
Code long/complex enough for review
Yes. Well documented. Extending views sort, fields and argument.
Secure code
None security issue found. Looks good.
Coding style & Drupal API usage
After a manuel Review, everything seems to be ok. Perhaps, just some recommandations :
-Mixed case function formatting used in emailit.admin.js. Use lower case and _ [style_camel_case]
Module works fine, without errors.
Comment #10
E-MAILiT CreditAttribution: E-MAILiT commentedAutomated Review
All coding standard erros appear in minified javascript files like jquery.min.js
Coding style & Drupal API usage
Mixed case function formatting used in emailit.admin.js is now fixed.
Please review the project so we can promote it to full.
Comment #11
klausiThe Libraries API module is a recommended method for adding 3rd party dependencies without directly including the code on Drupal.org.
Did you mean to depend on jquery_update module or why is jquery included?
Comment #12
E-MAILiT CreditAttribution: E-MAILiT commentedDrupal 7 already includes an older version of jquery but our module needs a newer one to work properly.
In https://www.drupal.org/node/1058168 describes how we can add a newer version of jquery.
In the code we have added jQuery.noConflict() method to prevent any possible jquery conflict.
Comment #13
E-MAILiT CreditAttribution: E-MAILiT commentedWe' ve removed jQuery 3rd party libraries.
Please review the project.
Comment #14
E-MAILiT CreditAttribution: E-MAILiT commentedPlease review the project so we can promote it to full.
Comment #15
E-MAILiT CreditAttribution: E-MAILiT commentedWe' ve made all the requested modifications.
Please review the project.
Comment #16
ziomizar CreditAttribution: ziomizar commentedHi E-MAILiT,
In order to speed up the review process, you could be interested in read how to get the review bonus.
Please read https://www.drupal.org/node/1975228.
Be patient, someone will review your code.
Comment #17
E-MAILiT CreditAttribution: E-MAILiT commentedManual reviews of other projects
Queued for review by site administrators. Will be published after approval.
Comment #18
E-MAILiT CreditAttribution: E-MAILiT commentedIt is almost 5 months since we firstly requested a review!
Please review the project so we can promote it to full.
Comment #19
E-MAILiT CreditAttribution: E-MAILiT commentedComment #20
E-MAILiT CreditAttribution: E-MAILiT commentedComment #21
ARUN AK CreditAttribution: ARUN AK commentedIt seems like you are using minified version of js(emailit.admin.js) in your module. Please provide normal js file, it would be easy go through your script.
Comment #22
E-MAILiT CreditAttribution: E-MAILiT commentedThanks for the comment,
emailit.admin.js is now provided in normal format.
Comment #23
3ssom CreditAttribution: 3ssom commentedHello E-MAILiT,
Reviewers here have done great work ,, and you followed that so I'll complete from where they stopped!
Automated Review
you still have some errors ..
https://git.drupal.org/sandbox/E-MAILiT/2667034.git
Manual Review
but there is warning msg you should see:
Git errors:
The last commit message is just one word, you should provide a meaningful short summary what you changed. See https://www.drupal.org/node/52287
function hook_uninstall() {
Thank you
Comment #24
E-MAILiT CreditAttribution: E-MAILiT commentedHi 3ssom,
thanks for the review.
All issues have been addressed,
Please review the project.
Comment #25
3ssom CreditAttribution: 3ssom commentedHello E-MAILiT,
I can confirm all the points were covered and fixed!
FYI: you could have just use check_plain() instead of filter_xss() in your file .module line.. I don't see any allowed HTML tags needed here!
I think this is a RTBC!
Comment #26
klausiComment #27
klausiReview of the 7.x-1.x branch (commit 5e3b0b0):
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
manual review:
There is a security vulnerability in this module and as part of our git admin training I'm assigning this to visabhishek so that he can take a look. If he does not find anything within a week I'm going to post the vulnerability details.
Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #28
visabhishek CreditAttribution: visabhishek as a volunteer and at Azri Solutions commentedComment #29
visabhishek CreditAttribution: visabhishek as a volunteer and at Azri Solutions commented@klausi : Thanks for this assignment
I have manually reviewed the code and my findings are :
use chack_plain instead of strip_tags in emailit_create_buttons()
Ex :
Use check_url() for $shared_url variable for
$output_value = "<div class=\"e-mailit_toolbox $style \" $shared_url $shared_title>" . PHP_EOL;
Also use proper concatination
AND
All user facing text should pass through t() function.
See : $node->title in
function emailit_create_node_buttons($node)
I am getting JS error also, Please see the attachement.
Comment #30
klausi@visabhishek: good find, but how would you exploit the code with a malicious node title?
Here is what I came up with:
a' onmouseover='alert(0)
This will only show a nasty javascript popup, but you can come up with more creative ideas to do harm on a site. One more attack idea:
a' onmouseover='window.location="http://example.com"
. Wow, this will redirect you away from the site, perfect for phishing!When we think about XSS it is important to understand the context in which the user provided string is printed to HTML. In this case the node title is inserted into an HTML attribute. We need to be very careful about that, because strip_tags() will not help us here. We need to make sure that an attacker cannot use quotes to break out of the attribute value for example.
So the solution in this case is to use check_plain(), which will take care of the quotes for you. That way an attacker cannot break out of the context of one HTML attribute and create a completely new one.
Comment #31
visabhishek CreditAttribution: visabhishek as a volunteer and at Azri Solutions commented@klausi : Thanks a lot for the valuable suggestion. I will definelty keep in mind the points that you have mentioned during my next security review.
Comment #32
PA robot CreditAttribution: PA robot commentedClosing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #33
E-MAILiT CreditAttribution: E-MAILiT commentedAll known problems are fixed.
Please review the project.
Comment #34
sandip27 CreditAttribution: sandip27 at Cybage Software Pvt Ltd. commentedHello @E-MAILiT
I just did the automated review of project. You can check the output at pareview Review.
and many more...
Please fix those issue and re-submit for review.
Thanks
Comment #35
PA robot CreditAttribution: PA robot commentedClosing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #36
E-MAILiT CreditAttribution: E-MAILiT commentedI've made as many fixes as I could about issues presented in automated review.
There are only minor formatting issues in emailit.admin.js
If there is any automated way to fix them please inform me.
I use netbeans IDE to auto-format the javascript file.
It is almost 1 year I am trying to promote this project to full.
I do not think that formatting is such a big deal to prevent this project from being promoted.
The most of the full projects published do not meet even 50% of the requirements.
Thanks in advance.
Comment #37
Warped CreditAttribution: Warped as a volunteer commentedThank you for your contribution!
After 2017 March 7 everyone can promote a project to a full project. A full project has a short project name and a drupal.org/project URL. It can also have releases (like alpha1 or 1.0). Edit your sandbox project, and then choose the 'Promote' tab.
https://www.drupal.org/docs/8/understanding-drupal-version-numbers/drupa...
https://www.drupal.org/docs/8/choosing-a-drupal-version/what-do-version-...
https://www.drupal.org/docs/8/understanding-drupal-version-numbers/what-...
https://www.drupal.org/docs/8/choosing-a-drupal-version/release-stable-v...
If you'd like to opt into security coverage, please ensure your module is ready for a full release, and then set this issue back to 'needs review'
Immense apologies for how long it took to get to this review completed.
Comment #38
apadernoI am closing this application for the lack for replies. I take the OP just needed to be able to promote the project.