I notice that now included in the header.php is this new <script> which I haven't seen before:
Code: Select all
<script>
<?php
// make a UTF8 version of $Translation
$translationUTF8 = $Translation;
if(datalist_db_encoding != 'UTF-8')
$translationUTF8 = array_map(function($str) {
return iconv(datalist_db_encoding, 'UTF-8', $str);
}, $translationUTF8);
$imgFolder = rtrim(config('adminConfig')['baseUploadPath'], '\\/') . '/';
?>
var AppGini = AppGini || {};
/* translation strings */
AppGini.Translate = {
_map: <?php echo json_encode($translationUTF8, JSON_PRETTY_PRINT); ?>,
_encoding: '<?php echo datalist_db_encoding; ?>'
}
AppGini.imgFolder = <?php echo json_encode($imgFolder, JSON_PARTIAL_OUTPUT_ON_ERROR); ?>;
</script>
Worse still, it reveals the image upload folder to all. Again, no need to be logged in. I personally don't like to advertise my upload folder.
Just view the AppGini demo source code here and you'll see exactly what I mean: view-source:https://bigprof.com/demo/index.php?signIn=1
In my opinion, that does not seem either appropriate or safe for a secure application, particularly as I have customised $Translation strings that I don't want made public?
I'm not entirely sure just exactly what that script is doing but I gather it is mapping translations for non-UTF8 encoding?
As my particular application is UTF8 encoded, I have simply removed that script from the header. Translations and the designated image folder are no longer visible in the source code.
Removing the script doesn't appear to have had any detrimental effect on anything else - all translations still seem to be OK?
Is that script required for any other reason? Will it affect anything else by removing it? Should it be optional (or better still - done some other way)?