offbeatmammal / jserrlog Goto Github PK

When the onerror handler gets called with its fourth parameter colno, that should get included in jsErrLog's reporting.

It's currently supported by at least IE10 and Chrome from version 30.

I'd like to make it independent of jserrlog.appspot.com so that you can specify

<script type="text/javascript" src="jserrlog.js"></script>
<script type="text/javascript">
    jsErrLog.url = 'http://www.yahoo.com/jslogger.php';
</script>

The downside is that is that people would have to add

<script type="text/javascript">
    jsErrLog.url = 'http://jserrlog.appspot.com/logger.js';
</script>

after the <script/>-tag to be able to use your service.

However, the upside, which I think outweights the downside, is that it makes it possible to write a simple test that fetches a static JavaScript file and executes it from the checked out source (showing an alert, or similar). This makes it easy to test the code on multiple browsers (which there currently is no test coverage of).

My question it, would you be interested in such a pull request?

at the moment when dealing with minified JS jsErrLog is unable to provide any more intelligent backtracking to the original source error. Would be advantageous to provide the ability to point to the unminified source and (possibly knowing the compression technique) highlight the original source error in addition to the actual execution error.

Needs research ;)

I wonder if it would be possible to store the client IP and display it in the error reports next to the url. This could be (or should be) configurable since some sites may prefer not to store the ip address due to privacy concerns.

The script is not properly guarded against loading it more than once, if it is, the error reporting goes into an infinite loop and reports the first error over and over essentially halting the browser.

The variable fnPreviousOnErrorHandler is overwritten with the error handler of jsErrLog so that the method to call the previous handler will the own handler.

It would be best to put the whole script into the if (!jsErrLog) backets. This way only one "instance" is created and the variables are not overwritten when the script is accidentally loaded twice.

I have observed a lot of identical reports for a page where I assume some kind of javascript animation is wrong so that it references an undefined object on mouse movement or similar. It would be helpful if the reports already sent are stored and checked so that the same error isn't reported more than once.

We are big fans of jQuery and I stumbled across this post that talks about how to catch errors in jQuery. Obviously not everyone are interested in this, so I guess it would be a sub module (ie. imported after the jserrlog.js file).

However, I think this would be an awesome feature!

What license is this project under?

When passing the URL to the error reporting service there might be certain fields that - for security or clarity - may be better if stripped off.

suggestion is to add a simple array that lists the querystring parameters which should be removed from the URL when it is passed to the logging service. For robustness the replace should be case insensitive.

examples could include password hashes, sessionIDs, PII which should not be shared outside the system (though it should be noted that holding any PII on a querystring is a questionable action in itself outside a closed intranet environment)

Hey!

I noticed that you've written jsErrLog supports Firefox 4. Is there a specific reason why you left our Firefox 3.x? I have a test case (see pull request) that passes for Firefox 3.6.22, so maybe it should be added to the README file, too? Can you confirm that it works on your computer, too?

Regards,
Jens

Currently the reporting UI is very limited

Adding support for pagination and filtering would be a good first step

additional features could include

• track timeline for a particular error
• view unique errors by browser(version)
• view total errors by browser(version)
• view unique errors by OS
• view total errors by OS
• view total count for a particular error [with browser(version) and OS breakdowns]
  ideally all the graphs would be variable time sequences so it's possible to correlate rise/drop to an OS or Browser release etc

If a page is really buggy or if there is a bug in the jserr script itself (see my next report), there may be a lot of error reports which may slow down the browser. It would be good to limit the number of reports to e.g. 10 (or make the max number settable).

ytuytuytu

Has the code already been looked over regarding security issues? I only did a short overview and I think it might be useful to do that. Currently I didn't find any non-public communication channel (e.g. mail for security), I prefer not to say anything specific in the public issue tracker.

Give the proper example

When an error occurs in a file location that is an URL containing parameters, the & char will cut off the url at that place since escaping is not done on the string. I don't think this will cause any real errors (unless the url contains a ui or info parameter as well), but it would be better if the parameter is escaped as well.

the same goes for the err parameter

this is more of a nitpick than an actual issue, the limit of 2048 chars applies to GET, not to POST and the url that is requested by jserrlog is a GET

When reading the rss feed for a page, the link tag points to / as text and to the jserrlog.appspot.com/ in the link tag, I think it would be better to have the actual page link so you can click it.

at the moment payload is passed from front-end to backend via a dynamically injected script reference (which allows responses to be passed back). add option to also report via a request for an image (eg classic 1x1px gif) with no return payload

In the work project i have used jsErrLog, I see a lot of errors pertaining to doubleclick and other banner services, it would be useful to be able to ignore some domains so that the reports are not sent when the script location is from this domain

Similar to the existing XMPP support a facility to add notification via email would be beneficial

Would require similar functionality

• self registration (with some form of validation)
• anti message flood protection
• multiple users per domain
• multiple domains (unique URLs, subdomains, wildcards) per user

I wonder if it would be better to have the same uid when more than one error is reported on a page for one user (e.g. the user causes 2 errors and then reloads the page, then we get 4 reports that are not properly connected since they have 4 different uids).

The php example on the docs page uses a pattern that is not xss safe, while this may not be directly exploitable if the report script is setting the correct content-type, it is still a good practice to provide safe examples (it might be exploitable if the content-type is text/html).

jsErrLog.removeScript(<?=$_GET['i']?>);

at least requires a regex check to avoid xss

<?
$i=$_GET['i'];
if(preg_match('/^[0-9]+$/',$i)===FALSE) [
  $i=0;
}
?>
jsErrLog.removeScript(<?=$i?>);

(I hope I got the script correct, typed this from memory)

The current XMPP interface in the AppEngine component is limited in a number of respects

• message floods (if you get lots of errors), so needs a rate limited for unique errors
• hard to register for multiple subdomains or wildcard for reporting
• no self-registration (though that would require validation of domain ownership)
• no multiple user registration for a domain