All $Translation strings (and image folder) available to view in source code?

Please report bugs and any annoyances here. Kindly include all possible details: steps to reproduce, expected result, actual result, screenshots, ... etc.
Post Reply
peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

All $Translation strings (and image folder) available to view in source code?

Post by peebee » 2021-06-02 06:47

I've just jumped a couple of AppGini versions to update an app to current V5.96

I notice that now included in the header.php is this new <script> which I haven't seen before:

Code: Select all

<script>
			<?php
				// make a UTF8 version of $Translation
				$translationUTF8 = $Translation;
				if(datalist_db_encoding != 'UTF-8')
					$translationUTF8 = array_map(function($str) {
						return iconv(datalist_db_encoding, 'UTF-8', $str);
					}, $translationUTF8);

				$imgFolder = rtrim(config('adminConfig')['baseUploadPath'], '\\/') . '/';
			?>
			var AppGini = AppGini || {};

			/* translation strings */
			AppGini.Translate = {
				_map: <?php echo json_encode($translationUTF8, JSON_PRETTY_PRINT); ?>,
				_encoding: '<?php echo datalist_db_encoding; ?>'
			}

			AppGini.imgFolder = <?php echo json_encode($imgFolder, JSON_PARTIAL_OUTPUT_ON_ERROR); ?>;
</script>
That <script> reveals every single $Translation string in your app by simply viewing the source code in a browser? No need to be logged in. It's available to guests on the login page.

Worse still, it reveals the image upload folder to all. Again, no need to be logged in. I personally don't like to advertise my upload folder.

Just view the AppGini demo source code here and you'll see exactly what I mean: view-source:https://bigprof.com/demo/index.php?signIn=1

In my opinion, that does not seem either appropriate or safe for a secure application, particularly as I have customised $Translation strings that I don't want made public?

I'm not entirely sure just exactly what that script is doing but I gather it is mapping translations for non-UTF8 encoding?

As my particular application is UTF8 encoded, I have simply removed that script from the header. Translations and the designated image folder are no longer visible in the source code.

Removing the script doesn't appear to have had any detrimental effect on anything else - all translations still seem to be OK?

Is that script required for any other reason? Will it affect anything else by removing it? Should it be optional (or better still - done some other way)?

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Re: All $Translation strings (and image folder) available to view in source code?

Post by peebee » 2021-06-03 01:31

OK, I've found the first problem caused by deleting the header script mentioned above.

Some modals no longer work and generate the following error (mass delete for example):

Uncaught TypeError: Cannot read property '_map' of undefined
at mass_delete (common.js:937)

I presume the same is going to happen with all other modal alerts/warnings/confirmations?

Restore the original header - modals working correctly again of course - but all $Translation strings available in clear view.

I took a look at the relevant "AppGini.Translate._map" functions in common.js That's not something I'm about to mess around with.

Surely there must be a better way to go about this without having all $Translation strings and an identifiable upload folder render in plain text in the source code?

User avatar
jsetzer
AppGini Super Hero
AppGini Super Hero
Posts: 1807
Joined: 2018-07-06 06:03
Location: Kiel, Germany
Contact:

Re: All $Translation strings (and image folder) available to view in source code?

Post by jsetzer » 2021-06-03 15:01

+1 I totally agree with @peebee.

That much javascript code directly inside the main file gets annoying more and more. I'd definately prefer loading literals ($Translations) from an external javascript- or JSON file.

Code: Select all

<script src="resources/appgini/language.js?v=1234567"></script>
For avoiding cache problems, the url of the source file could contain a unique (random) parameters. This should stop browsers from caching that resource.
Kind regards,
<js />

My AppGini Blog:
https://appgini.bizzworxx.de/blog

You can help us helping you:
Please always put code fragments inside [code]...[/code] blocks for better readability

AppGini 24.10 Revision 1579 + all AppGini Helper tools

User avatar
a.gneady
Site Admin
Posts: 1281
Joined: 2012-09-27 14:46
Contact:

Re: All $Translation strings (and image folder) available to view in source code?

Post by a.gneady » 2021-06-14 10:55

Thanks for the feedback :)
I do plan to move this code to a separate language.js file in future releases, to be auto-regenerated from language.php whenever it's modified.

To clarify, the purpose of listing translation strings in JS is that some parts of the app do apply translation client-side. The exposed strings do not really impose a security risk because the language file is available for public viewing for any user browsing github ... for example https://github.com/bigprof-software/onl ... nguage.php ... The exposed upload dir is only the default 'images' one, which is also public info for any user browsing AppGini apps available on github.

If you make customizations to the language strings that you don't want to expose, I suggest adding them to a different variable, maybe $customTranslation and using that one where you want to show those strings.
:idea: AppGini plugins to add more power to your apps:
  • DataTalk is an innovative AppGini plugin based on ChatGPT that allows you to interact with your AppGini database using natural language questions, without writing any SQL. Check the demo video
  • Mass Update plugin: Update multiple records at once and improve your workflow efficiency.
  • Check our other plugins and get a generous discount of up to 30% when buying 2 or more plugins.

Post Reply