Tree select

Hi Zheka,

Thanks for your contribution. I just looked at it briefly to confirm a common problem that sounded likely after reading your description:

3rd party code

Both jquery.bgiframe.js and jquery.mcdropdown.js appear to be 3rd party code. 3rd party code is not generally allowed on Drupal.org and should be deleted. This policy is described in the getting involved handbook. It also appears in the terms and conditions you agreed to when you signed up for Git access, which you may want to re-read, to be sure you're not violating other terms.

The Libraries API module is a recommended method for adding 3rd party dependencies without directly including the code on Drupal.org.

It appears you are working in the "master" branch in git. You should really be working in a version specific branch. The most direct documentation on this is Moving from a master branch to a version branch. For additional resources please see the documentation about release naming conventions and creating a branch in git.

Review of the master branch:

• README.txt is missing, see the guidelines for in-project documentation.
• Remove "version" from the info file, it will be added by drupal.org packaging automatically.
• Drupal Code Sniffer has found some issues with your code (please check the Drupal coding standards). you can check here: http://ventral.org/pareview/httpgitdrupalorgsandboxzheka1815526git

do to other project application review and get review bonus to finish it faster.

Hii,

I must say this is a very nice module. I installed the module and it worked. Readme file has clear installation and usage instructions. However there is a minor issue:

In tree select module file, at line 168, $vars['element']['#default_value'] throws a warning if the form is used for the first time and there is no default value. You probably need to implement a check there.

Else this looks RTBC to me. The module seemed to work without a hitch!!..

Thanks,
Aritra.

Hii,

You can't promote your module just yet. First a git admin will check the status of application and do a final code review. If everything is all right the it will be promoted by him and hopefully then you will be granted permission to promote your own modules in future. Please understand that there are lots of applications and git admins are quite busy. So this may take some time.

To accelerate the process you can review others code and take part in Review Bonous.

Thanks,
Aritra

Sorry this has sat for so long, especially at RTBC. :(

I took a look at the module, and had the following suggestions:

Master branch

While you have the default branch set correctly, it is a recommended practice to go back and remove any files from your 'master' branch; and leave only a text file which points the user towards the branch which is actually used. This way, you don't have to put up with the hassle of keeping your master and 7.x-1.x branches synchronized.

No sanitization of user input

Unfortunately, the code doesn't run values through any sanitization functions (such as filter_xss() or check_plain()) before outputing them. This opens up any site using this module to a Cross-site scripting (XSS) security vulnerability, which could be exploited by visitors to the site in order to execute arbitrary code on the server.

To see the vulnerability for yourself, configure a Taxonomy Term field to use the Tree Select widget, and then create a taxonomy tag containing <script>alert('xss!');</script> as it's contents. As you browse around the site, the user-supplied javascript is actually run, resulting in little 'xss!' popups as soon as you try to edit any node using the tree select field.

Sadly, this second issue is a show-stopper from an application point of view ... and it will have to be addressed before we can promote the module or grant you "git vetted user" status.

Once you have, please set your application back to 'needs review', and feel free to ping me on IRC for another review if it stalls out again.

Adding the PAReview: security tag, which is simply used as a metric to help us track the number of issues where security issues have been uncovered through the review process.

Closing due to lack of activity. Feel free to reopen if you are still working on this application.

I'm a robot and this is an automated message from Project Applications Scraper.

Editing description.