Modify javascript of contract

[UnMugViolet]

Hello there, I wanted to slightly modify the contract generated to include a new feature preventing the recipient for modifying using F12 or left click.

The issue is that I cannot find the file responsible of catching all the data and generating the data.

I tried to modify the .phpsrc files or generate.js. But everytime it throw an "undefined" in the html.

Do you know how and where I can add my script to add it on each contract I generate ? 🙂

Thanks in advance

[nonsalant]

Hi.

If by “recipient” you mean the person editing/creating(/downloading/etc) the contract (this would also be the person who puts down the first signature), this is the script that catches al the data and puts it together: https://github.com/nonsalant/contract/blob/master/generator/scripts/download/generate.js

But I’m not sure if any effective protections can be added—or if they would be needed here. As the creator of the contract, they need to be able to edit all (or at least most) parts of the contract, and since they need to download the resulting file (before they upload it again to the final PHP-enabled server) they’d have access to the full source where they can change any PHP, HTML, JS, CSS, anyway.

If by “recipient” you mean the end-client (the final person to sign and the only person for which any server-side PHP code is ever ran) — additional protections shouldn’t be needed due to the fact that besides the signature input no other input is being gathered from this person’s browser and sent to the server.

(Note I’m referencing the contract.php file from the root folder of this repo — this file should be similar to any file generated using the Generator.)

More specifically, from around line 113 in contract.php:

$CLIENT_SIGNATURE = isset($_POST['client_signature']) ? $_POST['client_signature'] : null;
if (substr( $CLIENT_SIGNATURE, 0, 22 ) === 'data:image/png;base64,') {
    $CLIENT_SIGNATURE = '<img id="hk" src="' . htmlspecialchars($CLIENT_SIGNATURE) . '" >';
} else {
  $CLIENT_SIGNATURE = null;
}

— the $_POST['client_signature'] should be the only inputed data coming from the end-client’s browser, everything else is hardcoded in variables that cant’t be changed or messed with inside the PHP script.

Take for example the contract body on line 106 (contract.php):

$CONTRACT_HTML='
  <h1>Contract of work</h1><p>This Contract is made and entered into […]</p>
';

This

• is initially created in the Generator (eg: using the WYSIWYG editor),
• is still (technically) editable by the person who downloads the generated (.php) file since they can open the file locally and go to line 106 and change it,
• stops being editable once uploaded to (and ran from) a PHP enabled server — any changes to the contract body made in the client’s browser’s Dev Tools (for example) would have no influence on the server script which still has the initial contract body as a hardcoded string in the $CONTRACT_HTML variable.

Hope this helps!