I have been reviewing projects since last year. I would like to become a code review administrator.
I would keep on adding projects reviews in wiki page.
https://www.drupal.org/project/issues/search/projectapplications?project...
Security issues
- [D7] Font Icon Select
One of the fields from this module is vulnerable to xss and it should pass through check plain. That field can execute JavaScript.
Reviews
- [D7] Message Private
- [D7] Aspose Doc Importer
- [D7] Mapply
- [D7] Administrative Help
- [D7] Livechatoo
- [D7] Multiple Registration
- [D7] Zurb Responsive Tables
- [D7] Account Settings Email Attachment
- [D7] CKEditor AutoEmbed
- [D7] Kaltura Tag
- [D7] Addressfield - Japanese Postal Code
- [D7] Read only node
- [D7] shs search api
- [D7] Views_Reveal
- [D7] OpenQuestions
- [D7] Indonesian Phone
- [D7] OKVideo
- [D7] fieldupdate
- [D7] Useful Commands Drush
- [D7] Comment Stats
- [D7] Hellosign
- [D7] Views slug title
- [D7] Feedback Collect
- [D7] Crop Entity
- [D7] Image ALT text
- [D7] Video Embed Ted
- [D7] Media Facebook]
- [D7] Content Type Search in Add Content(node/add) Page
- [D7] Image Compresssion TinyPNG/JPG
- [D7] Views Filter Object
- [D7] OpenAccess
- [D7] Taxonomy Autocomplete Permission
- [D7] netForum Authenticate
- [D7] PTV Timetable API
- [D7] Wrap Word
- [D7] Influxis Video Upload]
- [D7] YPlan
- [D7] Pipedrive
- [D7] Font Icon Select
- [D7] Session Cache Form
- [D7] Field Sections
- [D7] TinyPNG On Upload
- [D7] Fancyselect module
- [D7] Show Node Aliases
- [D7] Multimedia block
- [D7] Rackspace webmail integration
- [D7] External Logger
- [D7] Custom Email Template
- [D7] Pingdom API
- [D7] Theme-color meta tag
- [D7] CKEditor Image2
- [D7] Comment Bulk actions
- [D7] Entity Pager
- [D7] Edit unpublished
- [D7] Webform Tooltip
Comments
Hi and thanks for starting
Hi and thanks for starting this!
I saw in https://www.drupal.org/node/2486567#comment-9941151 that you posted a long list of automated results - could you edit that and put it in a txt attachment instead to not clutter up the application thread?
Also, you get bonus extra points for finding security issues, which is THE most important part of project application reviews. See https://www.drupal.org/project/issues/search/projectapplications?project... for examples what we usually find. Please create a section about your security vulnerability findings once you identify those in an application.
Done
Done
Be Connected: Website | Twitter | LinkendIn | GitHub
I found two security issues....
I found two security issues. (I think), see https://www.drupal.org/node/2490748#comment-9946261
https://www.drupal.org/node/2487960#comment-9946437
Be Connected: Website | Twitter | LinkendIn | GitHub
The first one was a false
The first one was a false positive, so also make sure that you can actually exploit the vulnerabilities you find.
@klausi, I do not think the
@klausi,
I do not think the second one is an security issue either. I had a conversation with heddn about how to test XSS exploit. And I ended up running something like this on the field
<script>alert("foo")</script>
and this did not did not show me "foo". I would remove PAReview: security.Be Connected: Website | Twitter | LinkendIn | GitHub
That might be a possible XSS
That might be a possible XSS exploit.
To test XSS exploits,
To test XSS exploits, https://www.drupal.org/sandbox/matthew.donadio/2319347 is a great tool.