All data being inserted into page source

[inradius]

I'm having an issue where absolutely all of the list data is being inserted into a pages source inside of <script> tags within the <head>. If you go to this demo site, view the source and you will see a spot around line 67

var list = new FbList(...

at this point it is inserting every single thing for every single entry. Why is this happening? I have a client's site i'm working on right now and due to this data being inserted, it is a massive security hole as anyone who views the source can get all the private details of all the records.

Also, I had about 5 list modules on one page and it loads all this javascript data 5 times. The page source was so huge that the site was taking around 7-10 seconds to load.

I commented out a line of the /components/com_fabrik/views/list/view.base.php file

$script[] = $opts;

and it seems to remove that data. The fabrik lists all still work too. What exactly is this data and why is it there?

 

[cheesegrits]

First thing, I can guarantee removing all the opts from the management JS will break some features of lists. if you want to comment out anything for now, it'd be this line (105 in my copy):

		$opts->formels = $elementsNotInTable;

We use that 'formels' data in a couple of places where we need to have information about elements not displayed in the table, like when building a CSV export popup.

I'm not sure exactly which part of the opts would be considered a massive security risk, but if that's an issue, as with any Fabrik usage, if there are elements you don't want people without a given level of access to see / know about, you can set the ACL's on that element, and we won't include anything about them on a page.

That said, I'm pretty sure we don't need to include the entire element model for each of the 'formels' structure we currently include, and we could cut that back to just the stuff we do need.

I'll raise a ticket on this.

-- hugh

 

[cheesegrits]

OK, raised the issue:

https://github.com/Fabrik/fabrik/issues/373

-- hugh

 

[inradius]

Thanks cheesegrits,

About changing the elements access ACL's, I can't get this to remove that elements data from this javascript insert. I tried setting the "Editable" and "Viewable" options to Special, but the records still show this in the page source.

In my demo site, I set the Email element field as such, but this is the general javascript insert in the page source for each record submitted

{"admin":false,"ajax":0,"ajax_links":false,"links":{"detail":"","edit":"","add":""},"filterMethod":"onchange","form":"listform_1_com_fabrik_1","headings":"['t0pki_fb_contact_sample___id','t0pki_fb_contact_sample___first_name','t0pki_fb_contact_sample___last_name']","labels":{"t0pki_fb_contact_sample___id":"id","t0pki_fb_contact_sample___first_name":"First Name","t0pki_fb_contact_sample___last_name":"Last Name"},"primaryKey":"`t0pki_fb_contact_sample`.`id`","Itemid":"101","listRef":"1_com_fabrik_1","formid":"1","canEdit":"0","canView":"1","page":"\/clean\/index.php","isGrouped":false,"formels":[{"id":"4","name":"email","group_id":"1","plugin":"field","label":"Email","checked_out":"0","checked_out_time":"0000-00-00 00:00:00","created":"2012-07-24 20:01:56","created_by":"921","created_by_alias":"admin","modified":"2012-07-26 21:12:20","modified_by":"921","width":"0","height":"0","default":"","hidden":"0","eval":"0","ordering":"3","show_in_list_summary":"0","filter_type":"","filter_exact_match":"1","published":"1","link_to_detail":"0","primary_key":"0","auto_increment":"0","access":"1","use_in_page_title":"0","parent_id":"0","params":"{\"placeholder\":\"\",\"password\":\"0\",\"maxlength\":\"255\",\"disable\":\"0\",\"readonly\":\"0\",\"autocomplete\":\"1\",\"text_format\":\"text\",\"integer_length\":\"6\",\"decimal_length\":\"2\",\"field_use_number_format\":\"0\",\"field_thousand_sep\":\",\",\"field_decimal_sep\":\".\",\"text_format_string\":\"\",\"guess_linktype\":\"0\",\"link_target_options\":\"default\",\"show_in_rss_feed\":\"0\",\"show_label_in_rss_feed\":\"0\",\"use_as_fake_key\":\"0\",\"use_as_rss_enclosure\":\"0\",\"rollover\":\"\",\"tipseval\":\"0\",\"tipsoverelement\":\"0\",\"tiplocation\":\"top\",\"labelindetails\":\"1\",\"labelinlist\":\"0\",\"comment\":\"\",\"view_access\":\"3\",\"encrypt\":\"0\",\"can_order\":\"0\",\"alt_list_heading\":\"\",\"custom_link\":\"\",\"custom_link_indetails\":\"1\",\"use_as_row_class\":\"0\",\"include_in_list_query\":\"1\",\"icon_folder\":\"0\",\"icon_hovertext\":\"1\",\"icon_file\":\"\",\"filter_access\":\"1\",\"full_words_only\":\"0\",\"filter_required\":\"0\",\"filter_build_method\":\"0\",\"filter_groupby\":\"text\",\"inc_in_search_all\":\"2\",\"inc_in_adv_search\":\"1\",\"tablecss_header_class\":\"\",\"tablecss_header\":\"\",\"tablecss_cell_class\":\"\",\"tablecss_cell\":\"\",\"sum_on\":\"0\",\"sum_label\":\"Sum\",\"sum_access\":\"1\",\"sum_split\":\"\",\"avg_on\":\"0\",\"avg_label\":\"Average\",\"avg_access\":\"1\",\"avg_round\":\"0\",\"avg_split\":\"\",\"median_on\":\"0\",\"median_label\":\"Median\",\"median_access\":\"1\",\"median_split\":\"\",\"count_on\":\"0\",\"count_label\":\"Count\",\"count_condition\":\"\",\"count_access\":\"1\",\"count_split\":\"\",\"custom_calc_on\":\"0\",\"custom_calc_label\":\"Custom\",\"custom_calc_query\":\"\",\"custom_calc_access\":\"1\",\"custom_calc_split\":\"\",\"custom_calc_php\":\"\",\"validations\":[]}"},{"id":"5","name":"message","group_id":"2","plugin":"textarea","label":"message","checked_out":"0","checked_out_time":"0000-00-00 00:00:00","created":"2012-07-24 20:01:56","created_by":"921","created_by_alias":"admin","modified":"2012-07-24 20:13:54","modified_by":"921","width":"0","height":"0","default":"","hidden":"0","eval":"0","ordering":"4","show_in_list_summary":"0","filter_type":"","filter_exact_match":"1","published":"1","link_to_detail":"0","primary_key":"0","auto_increment":"0","access":"1","use_in_page_title":"0","parent_id":"0","params":"{\"textarea_placeholder\":\"\",\"use_wysiwyg\":\"0\",\"textarea-showmax\":\"0\",\"textarea-maxlength\":\"255\",\"textarea-tagify\":\"0\",\"textarea_tagifyurl\":\"\",\"textarea-truncate\":\"0\",\"textarea-hover\":\"1\",\"textarea_hover_location\":\"top\",\"show_in_rss_feed\":\"0\",\"show_label_in_rss_feed\":\"0\",\"use_as_fake_key\":\"0\",\"use_as_rss_enclosure\":\"0\",\"rollover\":\"\",\"tipseval\":\"0\",\"tipsoverelement\":\"0\",\"tiplocation\":\"top\",\"labelindetails\":\"1\",\"labelinlist\":\"0\",\"comment\":\"\",\"view_access\":\"1\",\"encrypt\":\"0\",\"can_order\":\"0\",\"alt_list_heading\":\"\",\"custom_link\":\"\",\"custom_link_indetails\":\"1\",\"use_as_row_class\":\"0\",\"include_in_list_query\":\"1\",\"icon_hovertext\":\"1\",\"icon_file\":\"\",\"filter_access\":\"1\",\"full_words_only\":\"0\",\"filter_required\":\"0\",\"filter_build_method\":\"0\",\"filter_groupby\":\"text\",\"inc_in_search_all\":\"2\",\"inc_in_adv_search\":\"1\",\"tablecss_header_class\":\"\",\"tablecss_header\":\"\",\"tablecss_cell_class\":\"\",\"tablecss_cell\":\"\",\"sum_on\":\"0\",\"sum_label\":\"Sum\",\"sum_access\":\"1\",\"sum_split\":\"\",\"avg_on\":\"0\",\"avg_label\":\"Average\",\"avg_access\":\"1\",\"avg_round\":\"0\",\"avg_split\":\"\",\"median_on\":\"0\",\"median_label\":\"Median\",\"median_access\":\"1\",\"median_split\":\"\",\"count_on\":\"0\",\"count_label\":\"Count\",\"count_condition\":\"\",\"count_access\":\"1\",\"count_split\":\"\",\"custom_calc_on\":\"0\",\"custom_calc_label\":\"Custom\",\"custom_calc_query\":\"\",\"custom_calc_access\":\"1\",\"custom_calc_split\":\"\",\"custom_calc_php\":\"\",\"validations\":[]}"}],"actionMethod":null,"floatPos":"left","csvChoose":false,"popup_edit_label":"Edit","popup_view_label":"View","popup_add_label":"Add","limitLength":"10","limitStart":0,"csvOpts":{"excel":0,"inctabledata":1,"incraw":1,"inccalcs":0,"incfilters":0},"csvFields":[],"data":[[{"data":{"t0pki_fb_contact_sample___id":"2","t0pki_fb_contact_sample___id_raw":"2","t0pki_fb_contact_sample___first_name":"John","t0pki_fb_contact_sample___first_name_raw":"John","t0pki_fb_contact_sample___last_name":"Doe","t0pki_fb_contact_sample___last_name_raw":"Doe","t0pki_fb_contact_sample___email":"john.doe@somemail.com","t0pki_fb_contact_sample___email_raw":"john.doe@somemail.com","t0pki_fb_contact_sample___message":"This is a private message that should not be seen by guest users...","t0pki_fb_contact_sample___message_raw":"This is a private message that should not be seen by guest users...","slug":"2","__pk_val":"2","fabrik_select":"","fabrik_view_url":"\/clean\/index.php\/component\/fabrik\/details\/1\/2","fabrik_edit_url":"\/clean\/index.php\/form\/1\/2","fabrik_view":"","fabrik_edit":"","fabrik_actions":""},"cursor":1,"total":1,"id":"list_1_com_fabrik_1_row_2","class":"fabrik_row oddRow0"}]],"rowtemplate":"<tr id=\"\" class=\"fabrik_row\">\n\t\t\t<td class=\"t0pki_fb_contact_sample___id fabrik_element fabrik_list_1_group_1\" >\n\t\t\t\t\t<\/td>\n\t\t\t<td class=\"t0pki_fb_contact_sample___first_name fabrik_element fabrik_list_1_group_1\" >\n\t\t\t\t\t<\/td>\n\t\t\t<td class=\"t0pki_fb_contact_sample___last_name fabrik_element fabrik_list_1_group_1\" >\n\t\t\t\t\t<\/td>\n\t<\/tr>","winid":""}

You can see towards the end, it is still including the persons email address. I might not be understanding the ACL's method of doing things in Joomla. Special should not be the guest users I thought.

 

[rob]

$opts->formels

not thats not it, although I've now reduced the amount of data
that was sending most of which was not needed

its the data property

Which should not contain elements that can not be viewed

I've tracked it down to the group model getListQueryElements() method

/**
                 * $$$ hugh - experimenting adding non-viewable data to encrypted vars on forms,
                 * also we need them in addDefaultDataFromRO()
                 * if ($element->published == 1 && $elementModel->canView())
                 */
                if ($element->published == 1)

which is the culprit hehe for once its not me !

I've hopefully patched that now in a way that won't break what Hugh was testing

Could we update from github and test please?

-Rob

 

[cheesegrits]

Ack phfffft. Sorry about that. But at least I put a "$$$ testing" comment in there so we knew what was going on, LOL!

So hopefully these fixes resolve two issues - putting element data that shouldn't be there in formels, and also vastly reducing the amount of data we include in the JS (down to just name and label).

-- hugh

 

[inradius]

Yes, the update at github fixes it. Thanks a bunch!

 

[cheesegrits]

Closing this thread.

-- hugh