[D7] jserror

There are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpgitdrupalorgsandboxfly2abhishek2162225git

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

What if I create a POST request containing JS or HTML in any of the fields? You should always filter your output that comes from an untrusted source.

* Typo in hook_help()? JSerror module watches you JavaScript
*Typo in hook_init()? // Check if jserr_en cookie is enabled. I not set to cookie.

I really can't find anything to put my finger on here. But I have only done a manual code review, no testing.

I can see flood control is disabled by default. I would think that at least at least you should have some limit.
I would set this to RTBC, but I think we should get some more eyes on this.

Removing review bonus tag, you have not done all manual reviews, you just posted the output of an automated review tool. Make sure to read through the source code of the other projects, as requested on the review bonus page and provide feedback on that.

Hi Abhishek Anand.

The module holds up well and i cant see much wrong with it. I have noticed a few very minor issues though:

It would be nice to have a 'configure' entry in your .info file to direct users to your settings page from the modules page, eg:
configure = admin/config/development/jserror

There are a few typos in jserror_admin_settings():
"The percentageof visits..."
"Persentage of users..."

A long-shot admittedly, but in theory anonymous users can access the jserror_errors_overview form, which leads to entries in thier $_SESSION array, thereby disable anonymous page caching. It may be worth noting in the README that this disables page caching when used anonymously.

Good luck with your module

Andy

Hi Abhishek,

Some findings after a manual review.

1. Use l function in jserror_list.tpl.php instead of html a tag

        <a title="<?php echo $error['message'];?>"
          href="/admin/reports/jserror/<?php echo $error['mid']?>"><?php echo $error['message'];?>
        </a>

2. Use db_insert to insert records in jserror.module file line no 153

Database::getConnection('default', 'default')->insert('jserror')

3. Use Drupal.settings.basepath in js while referring files in jserror-init.js file line 20 similar in jserror.js

s.src = "/sites/all/modules/jserror/jserror.js";

Cheers,
Anil Sagar

After installing the jserror and visited some of the pages ive checked the javascript logs and found nothing. I visited again some of the pages with jquery interactivity and when i return back to check javascript logs in Report UI i found this, a screenshot of the mysql error - http://screencast.com/t/dZvdLS1Fj .

It was resolved when i cleared my cache and now its back to normal.

Hi Anand,

http://pareview.sh/pareview/httpgitdrupalorgsandboxfly2abhishek2162225git automation review tool shows a small issue.

FILE: /var/www/drupal-7-pareview/pareview_temp/jserror_list.tpl.php
--------------------------------------------------------------------------------
FOUND 1 ERROR(S) AFFECTING 1 LINE(S)
--------------------------------------------------------------------------------
27 | ERROR | No space found after comma in function call
--------------------------------------------------------------------------------

I have installed the module and you have followed the Drupal API and FAPI standards.

Other than that I found little notes on code standards,
1 - There is no need of explicit notation for default submit handler of the form like

$form['jserror_clear']['clear'] = array(
    '#type' => 'submit',
    '#value' => t('Clear error messages'),
    '#submit' => array('jserror_clear_log_submit'),
  );

This is something you have maintained in the other form "jserror_filter_form".

All looks good to me apart from the above. Your module looks great and Good luck man

manual review:

1. jserror-init.js: you are hardcoding the loaction sites/all/modules/jserror here, while the module might be somewhere else on a site, e.g. in profiles/recruiter/modules/jserror. So I think you should pass your module path to Drupal.settings and use that?
2. jserror_init(): I think this is the wrong hook to add javascript, since this runs on every single page request, regardless if HTML is even generated or not. I think you should use hook_page_build() instead.
3. jserror_save_errors(): so anyone can submit bogus/faked JS errors to that callback, but I have no idea how you could prevent that, so I guess you can't do much about that?

But otherwise looks RTBC to me. Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

Assigning to mlncn as he might have time to take a final look at this.

Upon Manual review:
1. Sorry i didn't noticed it. I Agree with the issue.
2.

Use hook_page_build() instead of hook_init() to add CSS or JS to every page. The reason is that hook_init() runs on every request that goes to Drupal (AJAX requests, private file requests, boost / varnish requests etc.), but hook_page_build() runs only when delivering HTML.

In this module case, It should load on all the pages even if there is no html delivered.

3. Basically 'jserror_save_errors' is an page callback which doesn't have error details as parameters and its always work with browscap module. so no issues on bogus/faked JS error submit

4. Use drupal_write_record/db_insert instead of

Database::getConnection('default', 'default')->insert('jserror')
        ->fields(array(

5. Haven't used t() on title and description of the menus (Translates a string to the current language or to a given language.)

'title' => 'JSerror module settings',
    'description' => 'Set options for jserror module',

6. Need to check the is_numeric of the data on

function jserror_error_details($mid) {
  drupal_add_css(drupal_get_path('module', 'jserror') . '/jserror-admin.css');
  $errors = array();
  $query = db_select('jserror', 'j')->extend('PagerDefault');
  $query->condition('j.mid', $mid, '=')->fields('j', array('eid',

7. Helper functions name should starts with underscore

function jserror_filters() {
  static $filters;

  if (isset($filters)) {
    return $filters;
  }

If you don't deliver HTML then javascript will not be executed, so really hook_page_build() should be used.

Of course anyone can submit POST values to jserror_save_errors() and the module will just write them to the database. So an attacker could send bogus/fake error messages, which could be confusing. But as I said there does not seem to be a way to prevent that, so I would not consider it a security issue.

Do not use t() in hook_menu(), so the current code is fine.

The rest don't seem to be critical application blockers, so back to RTBC.

no other objections for more than a week, so ...

Thanks for your contribution, Abhishek Anand!

I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.