• Hello Fabrik Community

    Fabrik is now in the hands of the development team that brought you Fabrik for Joomla 4. We have recently transitioned the Fabrik site over to a new server and are busy trying to clean it up. We have upgraded the site to Joomla 4 and are running the latest version of Fabrik 4. We have also upgraded the Xenforo forum software to the latest version. Many of the widgets you might have been used to on the forum are no longer operational, many abandoned by the developers. We hope to bring back some of the important ones as we have time.

    Exciting times to be sure.

    The Fabrik 4.0 Official release is now available. In addition, the Fabrik codebase is now available in a public repository. See the notices about these in the announcements section

    We wish to shout out a very big Thank You to all of you who have made donations. They have really helped. But we can always use more...wink..wink..

    Also a big Thank You to those of you who have been assisting others in the forum. This takes a very big burden off of us as we work on bugs, the website and the future of Fabrik.

All data being inserted into page source

Status
Not open for further replies.
I

inradius

New Member
I'm having an issue where absolutely all of the list data is being inserted into a pages source inside of <script> tags within the <head>. If you go to this demo site, view the source and you will see a spot around line 67
Code: 
var list = new FbList(...
at this point it is inserting every single thing for every single entry. Why is this happening? I have a client's site i'm working on right now and due to this data being inserted, it is a massive security hole as anyone who views the source can get all the private details of all the records.

Also, I had about 5 list modules on one page and it loads all this javascript data 5 times. The page source was so huge that the site was taking around 7-10 seconds to load.

I commented out a line of the /components/com_fabrik/views/list/view.base.php file
Code: 
$script[] = $opts;
and it seems to remove that data. The fabrik lists all still work too. What exactly is this data and why is it there?
 
First thing, I can guarantee removing all the opts from the management JS will break some features of lists. if you want to comment out anything for now, it'd be this line (105 in my copy):

PHP: 
		$opts->formels = $elementsNotInTable;

We use that 'formels' data in a couple of places where we need to have information about elements not displayed in the table, like when building a CSV export popup.

I'm not sure exactly which part of the opts would be considered a massive security risk, but if that's an issue, as with any Fabrik usage, if there are elements you don't want people without a given level of access to see / know about, you can set the ACL's on that element, and we won't include anything about them on a page.

That said, I'm pretty sure we don't need to include the entire element model for each of the 'formels' structure we currently include, and we could cut that back to just the stuff we do need.

I'll raise a ticket on this.

-- hugh
 
Thanks cheesegrits,

About changing the elements access ACL's, I can't get this to remove that elements data from this javascript insert. I tried setting the "Editable" and "Viewable" options to Special, but the records still show this in the page source.

In my demo site, I set the Email element field as such, but this is the general javascript insert in the page source for each record submitted
HTML: 
{"admin":false,"ajax":0,"ajax_links":false,"links":{"detail":"","edit":"","add":""},"filterMethod":"onchange","form":"listform_1_com_fabrik_1","headings":"['t0pki_fb_contact_sample___id','t0pki_fb_contact_sample___first_name','t0pki_fb_contact_sample___last_name']","labels":{"t0pki_fb_contact_sample___id":"id","t0pki_fb_contact_sample___first_name":"First Name","t0pki_fb_contact_sample___last_name":"Last Name"},"primaryKey":"`t0pki_fb_contact_sample`.`id`","Itemid":"101","listRef":"1_com_fabrik_1","formid":"1","canEdit":"0","canView":"1","page":"\/clean\/index.php","isGrouped":false,"formels":[{"id":"4","name":"email","group_id":"1","plugin":"field","label":"Email","checked_out":"0","checked_out_time":"0000-00-00 00:00:00","created":"2012-07-24 20:01:56","created_by":"921","created_by_alias":"admin","modified":"2012-07-26 21:12:20","modified_by":"921","width":"0","height":"0","default":"","hidden":"0","eval":"0","ordering":"3","show_in_list_summary":"0","filter_type":"","filter_exact_match":"1","published":"1","link_to_detail":"0","primary_key":"0","auto_increment":"0","access":"1","use_in_page_title":"0","parent_id":"0","params":"{\"placeholder\":\"\",\"password\":\"0\",\"maxlength\":\"255\",\"disable\":\"0\",\"readonly\":\"0\",\"autocomplete\":\"1\",\"text_format\":\"text\",\"integer_length\":\"6\",\"decimal_length\":\"2\",\"field_use_number_format\":\"0\",\"field_thousand_sep\":\",\",\"field_decimal_sep\":\".\",\"text_format_string\":\"\",\"guess_linktype\":\"0\",\"link_target_options\":\"default\",\"show_in_rss_feed\":\"0\",\"show_label_in_rss_feed\":\"0\",\"use_as_fake_key\":\"0\",\"use_as_rss_enclosure\":\"0\",\"rollover\":\"\",\"tipseval\":\"0\",\"tipsoverelement\":\"0\",\"tiplocation\":\"top\",\"labelindetails\":\"1\",\"labelinlist\":\"0\",\"comment\":\"\",\"view_access\":\"3\",\"encrypt\":\"0\",\"can_order\":\"0\",\"alt_list_heading\":\"\",\"custom_link\":\"\",\"custom_link_indetails\":\"1\",\"use_as_row_class\":\"0\",\"include_in_list_query\":\"1\",\"icon_folder\":\"0\",\"icon_hovertext\":\"1\",\"icon_file\":\"\",\"filter_access\":\"1\",\"full_words_only\":\"0\",\"filter_required\":\"0\",\"filter_build_method\":\"0\",\"filter_groupby\":\"text\",\"inc_in_search_all\":\"2\",\"inc_in_adv_search\":\"1\",\"tablecss_header_class\":\"\",\"tablecss_header\":\"\",\"tablecss_cell_class\":\"\",\"tablecss_cell\":\"\",\"sum_on\":\"0\",\"sum_label\":\"Sum\",\"sum_access\":\"1\",\"sum_split\":\"\",\"avg_on\":\"0\",\"avg_label\":\"Average\",\"avg_access\":\"1\",\"avg_round\":\"0\",\"avg_split\":\"\",\"median_on\":\"0\",\"median_label\":\"Median\",\"median_access\":\"1\",\"median_split\":\"\",\"count_on\":\"0\",\"count_label\":\"Count\",\"count_condition\":\"\",\"count_access\":\"1\",\"count_split\":\"\",\"custom_calc_on\":\"0\",\"custom_calc_label\":\"Custom\",\"custom_calc_query\":\"\",\"custom_calc_access\":\"1\",\"custom_calc_split\":\"\",\"custom_calc_php\":\"\",\"validations\":[]}"},{"id":"5","name":"message","group_id":"2","plugin":"textarea","label":"message","checked_out":"0","checked_out_time":"0000-00-00 00:00:00","created":"2012-07-24 20:01:56","created_by":"921","created_by_alias":"admin","modified":"2012-07-24 20:13:54","modified_by":"921","width":"0","height":"0","default":"","hidden":"0","eval":"0","ordering":"4","show_in_list_summary":"0","filter_type":"","filter_exact_match":"1","published":"1","link_to_detail":"0","primary_key":"0","auto_increment":"0","access":"1","use_in_page_title":"0","parent_id":"0","params":"{\"textarea_placeholder\":\"\",\"use_wysiwyg\":\"0\",\"textarea-showmax\":\"0\",\"textarea-maxlength\":\"255\",\"textarea-tagify\":\"0\",\"textarea_tagifyurl\":\"\",\"textarea-truncate\":\"0\",\"textarea-hover\":\"1\",\"textarea_hover_location\":\"top\",\"show_in_rss_feed\":\"0\",\"show_label_in_rss_feed\":\"0\",\"use_as_fake_key\":\"0\",\"use_as_rss_enclosure\":\"0\",\"rollover\":\"\",\"tipseval\":\"0\",\"tipsoverelement\":\"0\",\"tiplocation\":\"top\",\"labelindetails\":\"1\",\"labelinlist\":\"0\",\"comment\":\"\",\"view_access\":\"1\",\"encrypt\":\"0\",\"can_order\":\"0\",\"alt_list_heading\":\"\",\"custom_link\":\"\",\"custom_link_indetails\":\"1\",\"use_as_row_class\":\"0\",\"include_in_list_query\":\"1\",\"icon_hovertext\":\"1\",\"icon_file\":\"\",\"filter_access\":\"1\",\"full_words_only\":\"0\",\"filter_required\":\"0\",\"filter_build_method\":\"0\",\"filter_groupby\":\"text\",\"inc_in_search_all\":\"2\",\"inc_in_adv_search\":\"1\",\"tablecss_header_class\":\"\",\"tablecss_header\":\"\",\"tablecss_cell_class\":\"\",\"tablecss_cell\":\"\",\"sum_on\":\"0\",\"sum_label\":\"Sum\",\"sum_access\":\"1\",\"sum_split\":\"\",\"avg_on\":\"0\",\"avg_label\":\"Average\",\"avg_access\":\"1\",\"avg_round\":\"0\",\"avg_split\":\"\",\"median_on\":\"0\",\"median_label\":\"Median\",\"median_access\":\"1\",\"median_split\":\"\",\"count_on\":\"0\",\"count_label\":\"Count\",\"count_condition\":\"\",\"count_access\":\"1\",\"count_split\":\"\",\"custom_calc_on\":\"0\",\"custom_calc_label\":\"Custom\",\"custom_calc_query\":\"\",\"custom_calc_access\":\"1\",\"custom_calc_split\":\"\",\"custom_calc_php\":\"\",\"validations\":[]}"}],"actionMethod":null,"floatPos":"left","csvChoose":false,"popup_edit_label":"Edit","popup_view_label":"View","popup_add_label":"Add","limitLength":"10","limitStart":0,"csvOpts":{"excel":0,"inctabledata":1,"incraw":1,"inccalcs":0,"incfilters":0},"csvFields":[],"data":[[{"data":{"t0pki_fb_contact_sample___id":"2","t0pki_fb_contact_sample___id_raw":"2","t0pki_fb_contact_sample___first_name":"John","t0pki_fb_contact_sample___first_name_raw":"John","t0pki_fb_contact_sample___last_name":"Doe","t0pki_fb_contact_sample___last_name_raw":"Doe","t0pki_fb_contact_sample___email":"john.doe@somemail.com","t0pki_fb_contact_sample___email_raw":"john.doe@somemail.com","t0pki_fb_contact_sample___message":"This is a private message that should not be seen by guest users...","t0pki_fb_contact_sample___message_raw":"This is a private message that should not be seen by guest users...","slug":"2","__pk_val":"2","fabrik_select":"","fabrik_view_url":"\/clean\/index.php\/component\/fabrik\/details\/1\/2","fabrik_edit_url":"\/clean\/index.php\/form\/1\/2","fabrik_view":"","fabrik_edit":"","fabrik_actions":""},"cursor":1,"total":1,"id":"list_1_com_fabrik_1_row_2","class":"fabrik_row oddRow0"}]],"rowtemplate":"<tr id=\"\" class=\"fabrik_row\">\n\t\t\t<td class=\"t0pki_fb_contact_sample___id fabrik_element fabrik_list_1_group_1\" >\n\t\t\t\t\t<\/td>\n\t\t\t<td class=\"t0pki_fb_contact_sample___first_name fabrik_element fabrik_list_1_group_1\" >\n\t\t\t\t\t<\/td>\n\t\t\t<td class=\"t0pki_fb_contact_sample___last_name fabrik_element fabrik_list_1_group_1\" >\n\t\t\t\t\t<\/td>\n\t<\/tr>","winid":""}
You can see towards the end, it is still including the persons email address. I might not be understanding the ACL's method of doing things in Joomla. Special should not be the guest users I thought.
 
$opts->formels

not thats not it, although I've now reduced the amount of data
that was sending most of which was not needed

its the data property

Which should not contain elements that can not be viewed

I've tracked it down to the group model getListQueryElements() method

Code: 
/**
                 * $$$ hugh - experimenting adding non-viewable data to encrypted vars on forms,
                 * also we need them in addDefaultDataFromRO()
                 * if ($element->published == 1 && $elementModel->canView())
                 */
                if ($element->published == 1)
which is the culprit hehe for once its not me ! :D

I've hopefully patched that now in a way that won't break what Hugh was testing

Could we update from github and test please?

-Rob


 
Ack phfffft. Sorry about that. But at least I put a "$$$ testing" comment in there so we knew what was going on, LOL!

So hopefully these fixes resolve two issues - putting element data that shouldn't be there in formels, and also vastly reducing the amount of data we include in the JS (down to just name and label).

-- hugh
 
Status
Not open for further replies.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 57 (members: 2, guests: 55)
    Back
    Top