Test Notes

Posted: Mon Jan 22, 2018 3:14 am

Notes: 2.51 - Missing my other forum rights for some reason so will just put this here.

This post is just me making notes as I go along before loading by just looking at what I see being called in the templates and comparing page data at ravennuke.com from a user perspective (no admin rights there to see templates load; but I can read the files).. This is test/debug notes... do what you will; just don't kill the note-taker.

Orientation:
First observations from initial includes.

Suggest someone start scanning the structure and includes... too many seem to be called where they are not needed. Some should be merged, many are replicating functions if you look at them in context of being included with others are conflicting. First, some of the most notable "issues". I won't go into the overlaps (for example, how many times secondary includes are attempting or succeeding at overriding styles notice for example margin-bottom calls, places where background colors are defined; but no color is or there is no background-color set (or background-color is set to transparent) but you have set a color. Redefinition of background-position, Redefinition of width, Redefinition of margin-bottom, etc...

1. webkitRequestAnimationFrame in jquery.js is deprecated. Should be requestAnimationFrame

2. [ Only registered users can see links on this board! Get registered or login! ] (and here) fails security validation in Chrome.

See: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

3. Integration of Icon Management (err...everything YA related) into YA; but the larger question is why not using phpbb3 as the overall groups and security includes and thereby employing phpbb3 filtering rules as well as phpbb3 groups, UCP/ACP and templates. Not on dev team so I'm assuming someone else has fought this battle, contemplated the options. no idea.

4. Stuck in Subsilver? Hmm.. again theme templating for forums isn't integrated into theme (or, investigating) forums Subsilver is wrapped in theme and is defined and locked that way (no access to admin panel yet). Benefit of phpbb3 or of creating a full style integrated theme (that includes all bbtonuke templates customized for each theme).

5. What is the logic of showing fields that cannot be altered in Profile? i would think that this code would be integrated or trimmed out of everything but what needs to be displayed and is alterable. Covered this before.

6. Wait... Character set is charset=ISO-8859-1. Huge issue there. Everything should be UTF-8.

7. Invalid code line 14 in includes/jquery/css/cmxformTemplate.css

Code:

_margin: 0 -7px; /* IE Win */

8. Invalid (replicated/duplicate meaning) code line 66 in includes/jquery/css/jquery.cluetip.css (Background color is defined multiple times and is the same as border-left-color, border-bottom-color, border-right-color and border-top-color and of more concern is that the color definitions are not exact as defined by the latest standards) eg. Should use ffffff or Red instead of fff; but colors that are module related get tricky when you've defined a contrasting theme color. Hence, wherever possible, those should be consolidated to the theme.

8a. Line 266. The IE6 debugging zoom fix? Really? I think that can be removed in 2018. Find me an IE6 user.. seriously, anywhere. d*** old webdevkit code that isn't needed or valid; debugging aside; Zoom should be removed from includes because "transform" is the only code to use to be cross-browser compatible for the function, see: https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_animated_properties; and while here it historically meant that the element is applied as an internal "switch" to the browser (which was never a CSS property, just a "clearfix" task). Put simply, Zoom is not included in the CSS specification and thus should be excluded.

9. Line 38 in includes/jquery/css/jquery.cluetip-min.css Repeat of Issue as described in 8a

10. Non-compliant webkit and radius code as noticed before. Seeing it scattered around. Need to alter

Code:

-moz-border-radius-bottomleft:17px;-moz-border-radius-topright:17px;-webkit-border-top-right-radius:17px;-webkit-border-bottom-left-radius:17px;

See: https://developer.mozilla.org/en-US/docs/Web/CSS/border-bottom-left-radius and the right radius just below it.

11. So far I ponder the vast number of CSS includes and the fact that the locations are not one standardized path (and thus are needlessly exposing site directory paths).

First couple of hours.. I'll get back to this.

Site Admin Joined: Aug 22, 2007 Posts: 1772

Thanks for your report but please note: the old stable build RN25x is getting only fixes, when the functionalty breaks based on newer PHP or MYSQL versions. There is no scheduled plan to fix cosmetics or to change deep logic-routines. Many issues are already fixed in RavenCMS or it is completely replaced.

I'm working currently on a fix-package for the old stable build, to let it run with PHP 5.6.x, PHP 7.x and MySQL 5.x. There are fixed already a lot if issues. If you want contribute your pointed comsetics in the css-files, then ZIP-it and send me an archive based on the folder-structure. I will check/replace it. Each help is welcome.

But now your answers:

1. jQuery isn't updated since many years on this old stable build because in this case many other used jQuery plugins must be updated too. It works as it is. Maybe when I have time in the next days, I will try to update all plugins to the latest jQuery 3.3.x for the next RN25x fix package.

2. Works fine on my end - Can't find any issues! Tested with latest Chrome, Firfox and IE11. If you mean the protocol-warning, that the site isn't use an HTTPS cert - no worries - which is an simple demo-installation without an onpage-support. This would be cool for ravenphpscripts. Wink

3. Is already done in RavenCMS, RN25x stays on the old stable template-system without changes anymore. phpbb3 is an huge bughole and it makes no sense to open doors, which were already closed years ago in the integrated phpbb2x version.

Reason & answers: [ Only registered users can see links on this board! Get registered or login! ]

4. Yes subSilver is the default template of the integrated phpbb2x version and you are right, the used theme has no own Forums-template and this is reason why it is using the default subSilver template.

5. If you mean the forums-profile: /forum-editprofile.html - then read the text in the colorbox-window: "Attention! Unless you are uploading an avatar you should be using Your Account to edit your profile." The integrated phpbb2x version is a bridge, controlled by Your_Account and not by phpbb2x!

6. Known but will not more changed anymore in RN25x because its not only needed to change the encoding in the HTML-code, it would need a whole replacement of all php-filterings in each file of the old stable build and a deeper change of the database-layer. If you would change it only in the HTML-code, all specialchars from other languages like german, frensh, spanish etc will mae many trouble as really needed. This was one big reason for RavenCMS, and there is it already done!

7. Looks like an old never used IE-fix - line deleted in the upcommong RN25x fix-package!

8. Its an old file in an old stable build based on an old standard. Only cosmetics and it returns no issue, so I decided to leave it as it. Who wants to change it - just do it! Wink

8a. Looks at answer on point 8. Cosmetics are already done in RavenCMS.

9. Looks at answer on point 8. Cosmetics are already done in RavenCMS.

10. Not every CSS include must be standardized because each module, addon, theme or block can have own css-files and it can be placed on every folder, chosen by the developer. To remove it would destroy many own scripts by the users. It makes no difference where the css-file are located as long they are available in public. There is no scheduled plan to change this functionality in the old stable because it returns no issues. Who wants to change it - just do it!

Posted: Mon Jan 22, 2018 6:39 pm

Apparently, I'm lost...

I was beginning my adventure in analysis based on what I saw on the homepage here.. You know... In the center of page, at the top... that big bold announcement about 2.51.00 being released and its rating at hot scripts (note that there's no date there and that link doesn't take me anywhere helpful, which is odd); but I was going on what I saw announced here...

I was also basing this on what is running at the ravennuke site.

Apparently, that's all wrong or I have interpreted it incorrectly.

Also... I mean if this code is old, isn't being maintained or is not what is being worked on now, please direct me to the development code (which I'm guessing is about to be released; but I don't know) and I can start looking at that. I mean why waste my time on stuff that nobody will be using in a month.....

Anyway, regarding responses, I wasn't really seeking a defense of RavenNuke. No defense is ever really necessary, this was just me starting to dig into the published code and just my note taking about what I am seeing as mentioned at the top of the post. I have much more in terms of updates/fixes; BUT, note that when I compliance debug, I never accept that any identified issues or provided fixes are not implemented simply because of the justification that, "it already works". In my mind, you are either coding in compliance with established standards, or you are not. There is no middle ground for me. "Because it works" isn't a justification or reason that I ever use (as documented in my history). It's just who I am. If it is wrong, I fix it. I may eventually end-up rewriting the entire thing (section of code, option, feature, function); but I always start by making compliant, "what is".

Next, the issue I identified in the compliance issue relative to Chrome Standards was both indicated and demonstrated here, at ravennuke and indeed as defined by 2.51.00 code itself in how the YA and Profile "Option" works. In summary, if an option only exists in Profile, then that function should be integrated to YA. It's not rocket science. Then you simply make the Profile link in the template take you to YA. No YA Option (or for that matter bbtonuke Profile option) should be excluded from whatever "page" you are using to manage that function.... any function. If it is only going to do that one thing, what is the rest of that code that you can't change any of those other things all about? It's pointless.

Regarding http.

In 2018, I only write code designed for https everywhere. It's a CMS necessity at this point. Not coding with the assumption of https everywhere is inherently insecure for any actual CMS purposes. Again, CMS (as in Content Management System) purposes. If we were talking about non-aggregated content or non-database/non-query driven content, that's different; but any CMS that isn't compliant to the concepts of https everywhere as outline in detail by the W3C (and many others) IMHO makes that product not suitable as a CMS solution and thus, I won't be involved. https://www.w3.org/2001/tag/doc/web-https

To have "holes" in coding compliance to or through any non-compliant transitional template, popup or function defines the former issue I identified relative to compliance to Chrome versions and the link explains the change in Chrome handling and behavior and how to correct the coding to address it.

In closing, yeah, seeing, "Not secure" in the browser for ANY domain before or after credentialing ... STINKS. Plain and simple. If you trust such a domain with CMS content or your credentials (in this day and age) makes me ponder the perspective of "joe user" that knows better. I know better, so seeing that bugs me. Valid certs are just part of doing business now. "Not Secure" should scare the C R A P out of everyone.

About bbtonuke SubSilver, um.. ... really?.. ProSilver for 2 has been out for what.. a decade plus? I had a fully integrated template based standardized theme (my own custom theme) in full compliance 10-years ago. That theme meant that ANY other theme could be adapted and integrated into the CMS including bbtonuke back then, a decade ago and as is being demonstrated RIGHT HERE, right now. I reworked much of Raven's theme before I rewrote everything in 1CMS. Bottom line, not having an integrated default theme shared in common with default CMS construct being applied as a baseline to every single CMS page is well.. no offense... embarrassing. It gives ZERO motivation for anyone to develop new themes for the CMS. This is also how your CSS includes code gets defined and standardized too. You fix it in the first theme for every module so making new themes that are compliant is simple.

In terms of phpBB3 security.. frankly.. as someone that has spent countless hours writing code including phpbb3, phpbb2 and bbtonuke 2.x, I'm more than a little offended by the insinuation that the current version of phpBB is insecure or "phpbb3 is an huge bughole and it makes no sense to open doors, which were already closed years ago in the integrated phpbb2x version." That statement is flatly incorrect with only one active security issue in CVE and in the fact that bbtonuke still has those holes, I can't support the argument. As someone that rewrote it all, I know what the bbtonuke .23 code looks like (I spent over 1,000 hours rewriting bbtonuke AFTER version .24, over 10-years ago). I forget how much time Chatserv spent on this; but a quick look over there shows.. phpBB3, so go figure.

I know about the holes and bugs that exist in bbtonuke, and they still exist here right now. This was one of the reasons why I had to recode everything for UTF-8 so very long ago. It's "necessary", not optional. It also meant recoding the entire first line security filtering model used by Nuke. I rewrote that to satisfying the double-filtering problems that were discovered to be significant after digging deeply; but also because much of that section of code is already in bbtonuke includes and isn't needed once query security was created (poorly; but yet started in Nuke 8). Ask DJ about the filtering issue, he addressed it directly in the first release of Dragonfly ... what ... 15-years ago? I'm pretty sure Bob Marion's own domain code was unique too. It didn't stop the XSS query issue which was only fixed by active query validation (which I'm not sure exists anywhere outside of 1CMS; I haven't even started looking at other forked code yet). I am NOT a fan of the latest version (with SSO, new to Dragonfly) because I will never trust any 3rd party with ANY aspect of credential management, especially registration. Pardon me while I wave to the Russian bots and hackers watching from their validated Google and Facebook accounts...

The bottom line about phpBB3 is that is not only supports PHP 5.4.0+ features (through 7) which cannot be claimed by bbtonuke 2.x; nevertheless, it is secure and more so than any 2.x solution. I can see why some would be reluctant to adopt the theme/template system; but the group management and security is just so much better. When I recoded 1CMS, I adopted the ACP/UCP over YA. It was just easier to move those functions into ACP/UCP. My choice boiled down to platform security. The phpBB3 model gives you an actual baseline designed for CMS Group Management and Module support. I liked the model and after rewriting bbtonuke .24, I just decided to instead strip it all out and use 3.x to simply do what bbtonuke 2.x did for PHP-Nuke way back when, which itself replaced the original Nuke security model and then when Bob Marion ported over phpBB Groups; which phpBB3 does for me now and of course, they still support in the baseline (meaning nobody else has to look at or customize that code).

Finally, just to clarify HOW I do what I do, I always start debugging with the templates/theme page loading issues, first; because once presentation compliance is 100% valid, I can "spot" the PHP coding issues much easier. If I know all of the "variables" and expected values, I can then start looking at the non-presentation code to make sure that "methods" comply with the latest Standards. Anyway, everyone has a method for debugging, this is just what I have used as it seems to save me time. I haven't even looked any a single query yet.
Okay.. rant over...

Now.. about this, "RavenCMS"... I can find nothing in downloads.. (in part or in whole). Can someone please point me to where the latest code (or CVS is) so I can take a look?

Thanks!
Steph

Site Admin Joined: Jun 04, 2004 Posts: 6432

Quote:

In the center of page, at the top... that big bold announcement about 2.51.00 being released and its rating at hot scripts (note that there's no date there and that link doesn't take me anywhere helpful, which is odd);

Apparently, Hotscripts disappeared around the beginning of the year and now simply redirects to webhostingtalk, which has an interesting thread on the subject.

Since it was significantly outdated, I simply disabled it.

Not enough time to read the rest of the notes / discussion, but thanks for pointing out the broken link.

Posted: Tue Jan 23, 2018 1:31 am

Let's just say, where's the RavenCMS code? Not RavenNuke code, which I mistook as the same thing.. my bad.

Posted: Tue Jan 23, 2018 1:34 am

64bitguy wrote:

Now.. about this, "RavenCMS"... I can find nothing in downloads.. (in part or in whole). Can someone please point me to where the latest code (or CVS is) so I can take a look?

Thanks!
Steph

Its already discussed in the RN3 related thread. When a stable version is ready to use, I will share it! Wink

Edit: If you already have fixes, which are related to security issues in the integrated bb2nuke version: why not sharing with us? It would also help to fix the upcoming fix-package for the old stable build. I understand your enthusiasm and I'm really happy about every helping hand but right now I'm in the middle of converting RavenCMS to Bootstrap4. If I would share the files now, almost all files would have to be replaced again shortly. That would cause far too much confusion. My goal is an github repo for the old and for the new stable but at first I have to finish my current changes.

Posted: Tue Jan 23, 2018 7:35 pm

Quote:

7. Invalid code line 14 in includes/jquery/css/cmxformTemplate.css

I commented this out as a quick "solution."

This is part of the JS used in the RNYA module. Given the time, I'd like to replace this with DataTables to enable functionality similar to the nukeSPAM's spam event log viewer.

Working with a site like this with tens of thousands of users (which I'd also like to prune), the old interface is limited, if not annoying.

While we're at it, why not enable maintenance of forum attributes like the signature...? Wink

Posted: Fri Jan 26, 2018 4:56 pm

neralex wrote:

1. jQuery isn't updated since many years on this old stable build because in this case many other used jQuery plugins must be updated too. It works as it is. Maybe when I have time in the next days, I will try to update all plugins to the latest jQuery 3.3.x for the next RN25x fix package.

# jQuery cookie replaced with JavaScript Cookie v2.2.0
# jQuery validate updated to 1.17.0
# jQuery superfish updated to 1.7.9
# jQuery hoverIntent updated to 1.9.0
# jQuery colorbox updated to 1.6.4
# jQuery updated to 3.3.1

Wink