[D7] Remote Webform Submission

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Hi molenick,

When you have only one checkbox option then why you use checkboxes type.
line no-73,74
line no-80,81

for more info about drupal form api
drupal form api

Hey!

Nice idea for a module. The automatic review says your module is clean.

Manual code review of branch 7.x-1.x

I looked for quite a while and couldn't find any obvious major flaws. Two minor points which may or may not need fixing.

• webform_remote_submission.module, Line 256, 439: Maybe check for status=1, otherwise it might be possible to submit into unpublished webforms? Not sure about that, though.
• webform_remote_submission.module, Line 405: Imho this function should return TRUE or FALSE. I guess you have your reasons (database mapping?) to return 0, 1, NULL, but it looks a bit like a work around?

Apart from that, I think $_SERVER['REFERER'] is quite unreliable afaik. Depending on the browser it might be set or not. So I wouldn't rely on that for a backlink. You could add the option to add a backlink URL to the remote form / success page as an additional hidden field in the remote form, I suppose.

manual review:

1. webform_remote_submission_form_alter(): use hook_form_FORM_ID_alter() instead.
2. _webform_remote_submission_code(): use check_plain() instead of htmlspecialchars().
3. _webform_remote_submission_render_form(): doc block format is wrong, see http://drupal.org/coding-standards/docs#param . Also elsewhere.
4. _webform_remote_submission_post(): why the check_plain() here? You are not printing anything to the user? "When handling data, the golden rule is to store exactly what the user typed. When a user edits a post they created earlier, the form should contain the same things as it did when they first submitted it. This means that conversions are performed when content is output, not when saved to the database". Make sure to read http://drupal.org/node/28984 again.
5. "'!title' => check_plain($node->title),": use the "@" placeholder with t() instead, then you don't need the check_plain().
6. _webform_remote_submission_post(): yes, l() does sanitization per default.
7. _webform_remote_submission_post(): so this is vulnerable to CSRF exploits, right? I can easily prepare a site that submits form data on your behalf without your consent and it will be accepted. The question is how we deal with that? Is it acceptable to be prone to CSRF in your case? Should you present a final confirmation form before you actually take over the data and save it? Should you add some javascript to get a CSRF token from the original webform site? Checking the referrer header is also one measurement against CSRF, so you should at least make it configurable which URLs are allowed to send over data. I'm not sure about the solution you want, but this looks like a security issue and is an application blocker right now. And please don't remove the security tag, we keep that for statistics and to show examples of security problems.

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

Sorry for the delay. Make sure to review more project applications and get a new review bonus and this will get finished faster.

So as far as I understand it that Javascript HTTP request to your Drupal site will never send the cookies along because of the same origin policy. Which means that all webform submissions will be done as anonymous user, right? That might not be a problem for you, but you should mention that in the README.txt that remote submissions will only work for anonymous users.

Strictly speaking users might not even need your module, since all Drupal forms for anonymous users can be embedded on other sites. It is just a matter of Javascript or Iframe skills to include a webform on another site. Might also be interesting for README.txt.

Otherwise looks RTBC to me.

Assigning to mitchell as he might have time to take a final look at this.

no objections for more than a week, so ...

Thanks for your contribution, molenick!

I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.