Ad snippet analysis #69
Conversation
adm/style/manage_ads.html
Outdated
| <dd><textarea id="ad_code" name="ad_code" rows="20" cols="60" style="width: 95%;">{{ AD_CODE }}</textarea></dd> | ||
| <dd> | ||
| <textarea id="ad_code" name="ad_code" rows="20" cols="60" style="width: 95%;">{{ AD_CODE }}</textarea> | ||
| <p>{{ lang('AD_CODE_NOT_SURE') }} <input type="submit" class="button2" id="analyse_ad_code" name="analyse_ad_code" value="{{ lang('ANALYSE_AD_CODE') }}"></p> |
There was a problem hiding this comment.
I think all we need here is the button (dont need the NOT_SURE line)
adm/style/manage_ads.html
Outdated
| </ul> | ||
| {% endif %} | ||
| {% else %} | ||
| {{ lang('EVERYTHING_OK') }} |
There was a problem hiding this comment.
We probably shouldn't say anything here. If the ad code has not been analyzed, we shouldn't presume to say the code is ok.
adm/style/manage_ads.html
Outdated
| <h4>{{ lang('WARNINGS') }}</h4> | ||
| <ul> | ||
| {% for warning in loops.analyser_results_warning %} | ||
| <li>{{ warning.MESSAGE }}</li> |
There was a problem hiding this comment.
There's a little inconsistency in the indentations between these two blocks of code here and above.
We should only say something if the test has been run and passed (maybe define this template var that everything is OK only if there are no test fails, after it has been run).
analyser/manager.php
Outdated
| $this->lang = $lang; | ||
| } | ||
|
|
||
| public function test($ad_code) |
analyser/manager.php
Outdated
| $this->lang = $lang; | ||
| } | ||
|
|
||
| public function test($ad_code) |
There was a problem hiding this comment.
I would prefer calling this run. Also in the following classes, calling it run. It looks better when we have:
$test->run();
$analyser->run();
language/en/acp.php
Outdated
| 'ANALYSE_AD_CODE' => 'analyse advertisement code', | ||
| 'RESULTS' => 'Results', | ||
| 'NOTICES' => 'Notices', | ||
| 'EVERYTHING_OK' => 'The code seems to be OK.', |
language/en/acp.php
Outdated
| @@ -80,6 +85,12 @@ | |||
| 'ACP_AD_DISABLE_SUCCESS' => 'Advertisement disabled successfully.', | |||
| 'ACP_AD_DISABLE_ERRORED' => 'There was an error disabling the advertisement.', | |||
|
|
|||
| // Analyser tests | |||
| 'UNSECURE_CONNECTION' => '<strong>Mixed Content</strong><br />Your code will probably generate “Mixed Content” warning in the browser, because your board runs on HTTPS, but the ad code attempts to load a file from unsecure HTTP connection.', | |||
There was a problem hiding this comment.
Mixed Content
Your board runs on a secure HTTPS connection, however the ad code is attempting to load content from an insecure HTTP connection. This can cause browsers to generate a "Mixed Content" warning to let users know that the page contains insecure resources.
language/en/acp.php
Outdated
| @@ -80,6 +85,12 @@ | |||
| 'ACP_AD_DISABLE_SUCCESS' => 'Advertisement disabled successfully.', | |||
| 'ACP_AD_DISABLE_ERRORED' => 'There was an error disabling the advertisement.', | |||
|
|
|||
| // Analyser tests | |||
| 'UNSECURE_CONNECTION' => '<strong>Mixed Content</strong><br />Your code will probably generate “Mixed Content” warning in the browser, because your board runs on HTTPS, but the ad code attempts to load a file from unsecure HTTP connection.', | |||
| 'SCRIPT_WITHOUT_ASYNC' => '<strong>script without async attribute</strong><br />Your code will load script synchronously, which affects page load performance. Use <samp>async</samp> attribute to speed up the page load.', | |||
There was a problem hiding this comment.
Non-asynchronous javascript
This ad code loads JavaScript code in a non-asynchronous way. This means it will block any other Javascript from loading until it has completed loading, which can affect page load performance. Use of the async attribute can speed up the page load.
language/en/acp.php
Outdated
| // Analyser tests | ||
| 'UNSECURE_CONNECTION' => '<strong>Mixed Content</strong><br />Your code will probably generate “Mixed Content” warning in the browser, because your board runs on HTTPS, but the ad code attempts to load a file from unsecure HTTP connection.', | ||
| 'SCRIPT_WITHOUT_ASYNC' => '<strong>script without async attribute</strong><br />Your code will load script synchronously, which affects page load performance. Use <samp>async</samp> attribute to speed up the page load.', | ||
| 'ALERT_USAGE' => '<strong>Usage of <samp>alert()</samp></strong><br />Your code uses <samp>alert()</samp> function which annoys users and even blocks them using your board before they close it. Some browsers will even block page load and display warning to the user.', |
There was a problem hiding this comment.
Usage of alert()
Your code uses the alert() function which is not a good practice and can distract users. Some browsers may also block page load and display additional warnings to the user.
language/en/acp.php
Outdated
| 'UNSECURE_CONNECTION' => '<strong>Mixed Content</strong><br />Your code will probably generate “Mixed Content” warning in the browser, because your board runs on HTTPS, but the ad code attempts to load a file from unsecure HTTP connection.', | ||
| 'SCRIPT_WITHOUT_ASYNC' => '<strong>script without async attribute</strong><br />Your code will load script synchronously, which affects page load performance. Use <samp>async</samp> attribute to speed up the page load.', | ||
| 'ALERT_USAGE' => '<strong>Usage of <samp>alert()</samp></strong><br />Your code uses <samp>alert()</samp> function which annoys users and even blocks them using your board before they close it. Some browsers will even block page load and display warning to the user.', | ||
| 'LOCATION_CHANGE' => '<strong>Redirection</strong><br />Your code will redirect user to another (probably malicious) page.', |
There was a problem hiding this comment.
Redirection
Your code appears it can redirect user to another page or site. Redirects can sometimes send users to unintended, often malicious, destinations. Please verify the integrity of your ad code's redirection destination.
| */ | ||
| public function test($ad_code) | ||
| { | ||
| if (preg_match_all('/<script(.*)>/U', $ad_code, $matches)) |
There was a problem hiding this comment.
This test is failing for me because this first regex is matching the closing script tag as well, and since the closing tag has no async...false positive.
There was a problem hiding this comment.
Are you sure? It can't match closing tag, there is a slash after < in that case...
|
yep, positive. I had breakpoints and it ran through the condition twice…once for the opening tag and again for the closing tag.
… On Aug 8, 2017, at 9:41 AM, Jakub Senko ***@***.***> wrote:
@senky commented on this pull request.
In analyser/test/script_without_async.php <#69 (comment)>:
> + *
+ * @copyright (c) 2017 phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ */
+
+namespace phpbb\ads\analyser\test;
+
+class script_without_async implements test_interface
+{
+ /**
+ * ***@***.***}
+ */
+ public function test($ad_code)
+ {
+ if (preg_match_all('/<script(.*)>/U', $ad_code, $matches))
Are you sure? It can't match closing tag, there is a slash after < in that case...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#69 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AASiX6SoWlr0UUJXhYULHnm7F3SDUKKqks5sWI-tgaJpZM4Ou04U>.
|
|
@VSEphpbb can you post your ad code here? |
|
@senky I see what it is.. there's a script within a script in Google Adsense |
|
@senky you should update your regex to only check for async in script tags that contain a |
analyser/manager.php
Outdated
| ); | ||
| foreach ($this->tests as $test) | ||
| { | ||
| $result = array_merge_recursive($result, $test->run($ad_code)); |
There was a problem hiding this comment.
Note that this triggers an inspection warning that merging arrays in a loop causes high CPU usage and is a resources greedy construction. Perhaps there is an alternative approach?
adm/style/manage_ads.html
Outdated
| {% endfor %} | ||
| {% endif %} | ||
| {% elseif CODE_ANALYSED %} | ||
| {{ lang('EVERYTHING_OK') }} |
There was a problem hiding this comment.
We might as well wrap this in a <p class="successbox""></p> so it looks like the other messages and makes users feel extra good about themselves.
adm/style/manage_ads.html
Outdated
| {% if loops.analyser_results_notice or loops.analyser_results_warning %} | ||
| <h2 class="centered-text">{{ lang('RESULTS') }}</h2> | ||
| {% if loops.analyser_results_notice %} | ||
| <h4>{{ lang('NOTICES') }}</h4> |
There was a problem hiding this comment.
I doubt we need the Results, Warnings and Notices headings anymore. The newly stylized message boxes should be enough, and IMO look a little cleaner without all the headings now.
Analysis of entered snippet will be presented to the admin, such as “untrusted connection” when board runs on HTTPS but advertisement snippet will try to load HTTP JS file, “blocking javascript” when
<script>tag withoutasyncattribute will be present, etc.