Skip to content

feat: tambahkan parameter identitas openkab #1007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pandigresik wants to merge 1 commit into
base: rilis-dev
Choose a base branch
from
+117 −81
Open

feat: tambahkan parameter identitas openkab #1007

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 0 additions & 57 deletions public/build-web/assets/vendor-02370d6c.js
View file
Open in desktop

This file was deleted.

83 changes: 83 additions & 0 deletions public/build-web/assets/vendor-5c04c9f3.js
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions public/build-web/assets/web-8c49582b.js → public/build-web/assets/web-b4aa1d33.js
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions public/build-web/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"_vendor-02370d6c.js": {
"file": "assets/vendor-02370d6c.js"
"_vendor-5c04c9f3.js": {
"file": "assets/vendor-5c04c9f3.js"
},
"node_modules/@fortawesome/fontawesome-free/webfonts/fa-brands-400.ttf": {
"file": "assets/fa-brands-400-003f1154.ttf",
Expand Down Expand Up @@ -47,9 +47,9 @@
"src": "node_modules/owl.carousel/dist/assets/owl.video.play.png"
},
"resources/js/web.js": {
"file": "assets/web-8c49582b.js",
"file": "assets/web-b4aa1d33.js",
"imports": [
"_vendor-02370d6c.js"
"_vendor-5c04c9f3.js"
],
"isEntry": true,
"src": "resources/js/web.js"
Expand Down
11 changes: 11 additions & 0 deletions resources/js/web.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,18 @@ import $ from 'jquery';
import '../vendor/bootstrap-5.3.2/js/bootstrap.bundle.min';
import 'chart.js/dist/Chart.min';
import 'select2/dist/js/select2.full.min';
import { filter } from 'lodash';

window.$ = $;
window.jQuery = $;
window.bootstrap = bootstrap;
$.ajaxSetup({
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 📝 Code Quality: Code Duplication - DRY Violation

Kategori: Architecture

Masalah: Logic $.ajaxSetup() untuk inject parameter kode_kabupaten diduplikasi persis di 2 tempat berbeda:

  1. resources/js/web.js (L10-19) - untuk public web
  2. resources/views/layouts/presisi/partials/javascript.blade.php (L30-39) - untuk admin panel

Duplikasi ini melanggar prinsip DRY (Don't Repeat Yourself) dan menyulitkan maintenance. Jika ada bug atau perlu perubahan logic, harus diubah di 2 tempat.

Kode:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
        if (settings.url.indexOf('?') === -1) {
            settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        } else {
            settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        }
    }
});

Fix:
Ekstrak ke shared utility module yang bisa digunakan di kedua context:

// resources/js/utils/ajax-setup.js
export function setupAjaxDefaults() {
    $.ajaxSetup({
        beforeSend: function(xhr, settings) {
            const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
            
            if (!identitasOpenkab) {
                console.warn('Meta tag identitas-openkab tidak ditemukan');
                return;
            }
            
            const params = `kode_kabupaten=${identitasOpenkab}&filter[kode_kabupaten]=${identitasOpenkab}`;
            settings.url += settings.url.indexOf('?') === -1 ? `?${params}` : `&${params}`;
        }
    });
}

// resources/js/web.js
import { setupAjaxDefaults } from './utils/ajax-setup';
setupAjaxDefaults();

// Untuk admin panel, buat inline script yang import dari build:
// <script>window.setupAjaxDefaults && window.setupAjaxDefaults();</script>

beforeSend: function (xhr, settings) {
const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] ⚡ Performance: jQuery Selector Tanpa Cache di AJAX beforeSend

Masalah: Selector $('meta[name="identitas-openkab"]').attr('content') dipanggil di dalam beforeSend callback yang akan dieksekusi pada SETIAP request AJAX. Ini menyebabkan DOM query berulang untuk elemen yang nilainya statis (tidak berubah selama page lifecycle).

Kode:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');

Dampak:

  • Production Impact: Jika halaman melakukan 50 AJAX requests, akan ada 50x DOM query untuk elemen yang sama
  • Performance Cost: ~0.5-2ms per query × jumlah AJAX requests
  • Scalability: Pada dashboard dengan banyak AJAX (DataTables, charts, live updates), overhead bisa mencapai 100-500ms total per page load

Fix:

// Cache selector di luar ajaxSetup (hanya query 1x saat page load)
const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content') || '';

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        // Gunakan cached value
        if (settings.url.indexOf('?') === -1) {
            settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        } else {
            settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        }
    }
});

Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 📝 Code Quality: Missing Null/Undefined Check

Kategori: JS Quality

Masalah: Kode langsung menggunakan identitasOpenkab tanpa validasi apakah meta tag ada atau tidak. Jika meta tag tidak ditemukan (misalnya karena error di Blade atau data $identitasAplikasi kosong), identitasOpenkab akan undefined dan URL akan menjadi ?kode_kabupaten=undefined&filter[kode_kabupaten]=undefined.

Kode:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
if (settings.url.indexOf('?') === -1) {
    settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;

Fix:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
        
        // Guard clause: skip jika meta tag tidak ada
        if (!identitasOpenkab) {
            console.warn('Meta tag identitas-openkab tidak ditemukan, AJAX request tanpa kode_kabupaten');
            return;
        }
        
        const params = `kode_kabupaten=${identitasOpenkab}&filter[kode_kabupaten]=${identitasOpenkab}`;
        settings.url += settings.url.indexOf('?') === -1 ? `?${params}` : `&${params}`;
    }
});

Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] 🐛 Bug: Undefined Injection ke URL AJAX

Kode: const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');

Skenario:

  • Jika meta tag <meta name="identitas-openkab"> tidak ada di DOM (misalnya karena error di Blade rendering, atau view yang tidak include layout dengan benar)
  • $('meta[name="identitas-openkab"]').attr('content') akan return undefined (bukan string kosong)
  • Variabel identitasOpenkab menjadi undefined
  • Saat di-concatenate ke URL di baris 14/16, JavaScript akan convert undefined menjadi string literal "undefined"
  • Semua AJAX request akan punya parameter: ?kode_kabupaten=undefined&filter[kode_kabupaten]=undefined

Dampak:

  • Backend API menerima string "undefined" sebagai kode kabupaten
  • Query database akan gagal atau return data yang salah
  • Filter tidak berfungsi dengan benar
  • Potensi data leak jika backend tidak validasi strict

Fix:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content') || '';
if (!identitasOpenkab) {
    console.error('Meta tag identitas-openkab tidak ditemukan');
    return; // atau throw error untuk mencegah request dengan data invalid
}

if (settings.url.indexOf('?') === -1) {
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 📝 Code Quality: Hardcoded Configuration

Kategori: JS Quality

Masalah: Parameter names (kode_kabupaten, filter[kode_kabupaten]) di-hardcode langsung di logic. Jika di masa depan perlu menambah parameter lain atau mengubah naming convention, harus mengubah kode di multiple places. Lebih baik menggunakan konfigurasi.

Kode:

if (settings.url.indexOf('?') === -1) {
    settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
} else {
    settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
}

Fix:

// Definisikan config di top-level atau import dari config file
const AJAX_PARAMS_CONFIG = {
    metaTagName: 'identitas-openkab',
    paramNames: ['kode_kabupaten', 'filter[kode_kabupaten]']
};

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $(`meta[name="${AJAX_PARAMS_CONFIG.metaTagName}"]`).attr('content');
        
        if (!identitasOpenkab) {
            console.warn(`Meta tag ${AJAX_PARAMS_CONFIG.metaTagName} tidak ditemukan`);
            return;
        }
        
        const params = AJAX_PARAMS_CONFIG.paramNames
            .map(name => `${name}=${identitasOpenkab}`)
            .join('&');
            
        settings.url += settings.url.indexOf('?') === -1 ? `?${params}` : `&${params}`;
    }
});

settings.url += '?kode_kabupaten=' + identitasOpenkab+'&filter[kode_kabupaten]=' + identitasOpenkab;
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] 🔒 Security: URL Parameter Injection via Unencoded Meta Tag Value

Masalah: Nilai identitasOpenkab dari meta tag langsung dikonkatenasi ke URL tanpa encodeURIComponent(). Attacker yang bisa memanipulasi meta tag (misal via XSS di tempat lain atau server-side injection) dapat menyuntikkan parameter tambahan atau karakter khusus yang merusak URL.

Kode:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
if (settings.url.indexOf('?') === -1) {
    settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
} else {
    settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
}

Risiko:

  • Parameter Pollution: Attacker inject &admin=1 atau parameter sensitif lain
  • URL Breaking: Karakter seperti #, &, = bisa merusak struktur URL
  • Filter Bypass: Jika backend mengandalkan parameter ini untuk authorization, bisa di-bypass
  • Impact: Semua AJAX request di aplikasi terpengaruh karena menggunakan $.ajaxSetup() global

PoC (Chrome Console):

// Jalankan di Chrome DevTools Console (F12 → Console)
// Pastikan sudah login ke aplikasi di tab yang sama

// Step 1: Manipulasi meta tag untuk inject parameter berbahaya
$('meta[name="identitas-openkab"]').attr('content', '1234&admin=true&role=superadmin');

// Step 2: Trigger AJAX request (contoh ke endpoint apapun)
const testUrl = '/api/test-endpoint';
const resp = await fetch(testUrl, {
    method: 'GET',
    headers: { 'X-Requested-With': 'XMLHttpRequest' }
});

// Step 3: Periksa URL yang sebenarnya dikirim
console.log('URL yang dikirim:', resp.url);
// Expected output: /api/test-endpoint?kode_kabupaten=1234&admin=true&role=superadmin&filter[kode_kabupaten]=1234&admin=true&role=superadmin

// Step 4: Verifikasi parameter diterima backend
const data = await resp.text();
console.log('Response:', data);

// Alternatif: Test dengan jQuery AJAX
$.get('/api/desa', function(data) {
    console.log('jQuery AJAX berhasil dengan parameter terinjeksi');
});
// Periksa Network tab untuk melihat URL final

Fix:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
        
        // Validasi format kode kabupaten (hanya angka, 4-6 digit)
        if (!identitasOpenkab || !/^\d{4,6}$/.test(identitasOpenkab)) {
            console.error('Invalid kode_kabupaten format');
            return; // Abort jika tidak valid
        }
        
        // Encode value sebelum ditambahkan ke URL
        const encodedValue = encodeURIComponent(identitasOpenkab);
        
        if (settings.url.indexOf('?') === -1) {
            settings.url += '?kode_kabupaten=' + encodedValue + '&filter[kode_kabupaten]=' + encodedValue;
        } else {
            settings.url += '&kode_kabupaten=' + encodedValue + '&filter[kode_kabupaten]=' + encodedValue;
        }
    }
});

} else {
settings.url += '&kode_kabupaten=' + identitasOpenkab+'&filter[kode_kabupaten]=' + identitasOpenkab;
}
}
});
3 changes: 2 additions & 1 deletion resources/views/layouts/presisi/index.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="identitas-openkab" content="{{ str_replace('.','',$identitasAplikasi['kode_kabupaten'] ?? '') }}">
<title>{{ config('app.namaAplikasi') }}</title>

@include('layouts.presisi.partials.stylesheet')
Expand Down Expand Up @@ -59,7 +60,7 @@
</div>
<!-- /.content-wrapper -->
<footer class="main-footer ml-0">
<strong>Hak cipta © <?= date('Y') ?> <a href="https://opendesa.id">OpenDesa</a>.</strong>
<strong>Hak cipta © {{ date('Y') }} <a href="https://opendesa.id">OpenDesa</a>.</strong>
Seluruh hak cipta dilindungi.
<div class="float-right d-none d-sm-inline-block">
<b>Versi</b> {{ openkab_versi() }}
Expand Down
13 changes: 12 additions & 1 deletion resources/views/layouts/presisi/partials/javascript.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,17 @@
<script nonce="{{ csp_nonce() }}">
var selectedMenuObj = null;

$.ajaxSetup({
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 📝 Code Quality: Code Duplication - DRY Violation

Kategori: Architecture

Masalah: Sama dengan temuan di resources/js/web.js L10. Logic $.ajaxSetup() diduplikasi persis di file ini. Ini adalah copy-paste dari web.js yang ditempatkan di Blade partial admin panel.

Kode:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
        if (settings.url.indexOf('?') === -1) {
            settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        } else {
            settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        }
    }
});

Fix:
Lihat fix di temuan sebelumnya (web.js L10). Gunakan shared utility yang sama untuk menghindari duplikasi.

beforeSend: function(xhr, settings) {
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] 🐛 Bug: Undefined Injection ke URL AJAX (Duplikasi)

Kode: const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');

Skenario:

  • Sama persis dengan bug di resources/js/web.js line 12
  • Jika meta tag tidak ada di DOM, attr('content') return undefined
  • String literal "undefined" akan masuk ke semua AJAX request di admin panel
  • Karena ini di dalam $(function() {...}), error baru terdeteksi setelah DOM ready

Dampak:

  • Semua fitur admin yang pakai AJAX (DataTables, Select2 remote, form submission) akan kirim kode_kabupaten=undefined
  • Backend API menerima data invalid
  • Potensi crash atau data corruption jika backend tidak handle edge case ini

Fix:

$(function () {
    const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content') || '';
    
    if (!identitasOpenkab) {
        console.error('Meta tag identitas-openkab tidak ditemukan di admin panel');
        // Tampilkan alert ke user atau redirect ke error page
        return;
    }
    
    $.ajaxSetup({
        beforeSend: function(xhr, settings) {
            if (settings.url.indexOf('?') === -1) {
                settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
            } else {
                settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
            }
        }
    });
    
    // ... rest of code
});

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] ⚡ Performance: jQuery Selector Tanpa Cache di AJAX beforeSend (Duplikasi)

Masalah: Sama seperti resources/js/web.js - selector $('meta[name="identitas-openkab"]').attr('content') dipanggil berulang di setiap AJAX request. Masalah ini terduplikasi di admin panel, yang biasanya memiliki lebih banyak AJAX requests (DataTables, form submissions, live data).

Kode:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');

Dampak:

  • Production Impact: Admin panel dengan DataTables bisa melakukan 100+ AJAX requests per halaman (pagination, sorting, filtering)
  • Performance Cost: 100 requests × 1ms = 100ms overhead hanya untuk DOM query
  • User Experience: Pada koneksi lambat atau device low-end, ini bisa menyebabkan lag yang terasa
  • Worst Case: Dashboard dengan multiple DataTables + live charts = 200-300 AJAX requests = 200-300ms wasted

Fix:

// Cache selector di luar ajaxSetup
const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content') || '';

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        // Gunakan cached value
        if (settings.url.indexOf('?') === -1) {
            settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        } else {
            settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
        }
    }
});

Rekomendasi Tambahan: Pertimbangkan untuk membuat satu file shared JavaScript untuk logic ini agar tidak duplikasi kode antara web.js dan javascript.blade.php.

Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] 📝 Code Quality: Missing Null/Undefined Check

Kategori: JS Quality

Masalah: Sama dengan temuan di resources/js/web.js L12. Tidak ada validasi apakah meta tag identitas-openkab ada atau tidak sebelum digunakan.

Kode:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
if (settings.url.indexOf('?') === -1) {
    settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;

Fix:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
        
        if (!identitasOpenkab) {
            console.warn('Meta tag identitas-openkab tidak ditemukan, AJAX request tanpa kode_kabupaten');
            return;
        }
        
        const params = `kode_kabupaten=${identitasOpenkab}&filter[kode_kabupaten]=${identitasOpenkab}`;
        settings.url += settings.url.indexOf('?') === -1 ? `?${params}` : `&${params}`;
    }
});

if (settings.url.indexOf('?') === -1) {
settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL] 🔒 Security: URL Parameter Injection via Unencoded Meta Tag Value (Duplicate)

Masalah: Identik dengan isu di resources/js/web.js - nilai identitasOpenkab dari meta tag langsung dikonkatenasi ke URL tanpa encodeURIComponent(). Ini adalah duplikasi kode yang sama di admin panel.

Kode:

const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
if (settings.url.indexOf('?') === -1) {
    settings.url += '?kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
} else {
    settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
}

Risiko:

  • Parameter Pollution: Attacker inject parameter tambahan seperti &is_admin=1
  • Authorization Bypass: Jika backend filter berdasarkan kode_kabupaten, bisa di-bypass
  • Admin Panel Exposure: Lebih berbahaya karena ini di admin panel dengan privilege lebih tinggi
  • Impact: Semua AJAX request di admin panel terpengaruh

PoC (Chrome Console):

// Jalankan di Chrome DevTools Console (F12 → Console)
// Pastikan sudah login sebagai admin di panel /presisi

// Step 1: Manipulasi meta tag untuk inject parameter privilege escalation
$('meta[name="identitas-openkab"]').attr('content', '1234&bypass_auth=1&role_id=1');

// Step 2: Trigger AJAX request ke endpoint admin (contoh DataTables)
const adminEndpoint = '/presisi/api/users'; // Sesuaikan dengan endpoint yang ada
const resp = await fetch(adminEndpoint, {
    method: 'GET',
    headers: { 
        'X-Requested-With': 'XMLHttpRequest',
        'Accept': 'application/json'
    }
});

// Step 3: Periksa URL yang sebenarnya dikirim
console.log('Admin URL yang dikirim:', resp.url);
// Expected: /presisi/api/users?kode_kabupaten=1234&bypass_auth=1&role_id=1&filter[kode_kabupaten]=1234&bypass_auth=1&role_id=1

// Step 4: Cek apakah parameter terinjeksi diterima backend
const data = await resp.json();
console.log('Admin Response:', data);

// Alternatif: Test dengan DataTables AJAX yang umum di AdminLTE
$('#example-table').DataTable().ajax.reload();
// Periksa Network tab untuk melihat parameter yang terinjeksi

Fix:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        const identitasOpenkab = $('meta[name="identitas-openkab"]').attr('content');
        
        // Validasi format kode kabupaten (hanya angka, 4-6 digit)
        if (!identitasOpenkab || !/^\d{4,6}$/.test(identitasOpenkab)) {
            console.error('Invalid kode_kabupaten format');
            return; // Abort jika tidak valid
        }
        
        // Encode value sebelum ditambahkan ke URL
        const encodedValue = encodeURIComponent(identitasOpenkab);
        
        if (settings.url.indexOf('?') === -1) {
            settings.url += '?kode_kabupaten=' + encodedValue + '&filter[kode_kabupaten]=' + encodedValue;
        } else {
            settings.url += '&kode_kabupaten=' + encodedValue + '&filter[kode_kabupaten]=' + encodedValue;
        }
    }
});

Rekomendasi Tambahan:

  • Pertimbangkan untuk membuat fungsi helper terpusat daripada duplikasi kode
  • Tambahkan server-side validation untuk memastikan kode_kabupaten valid
  • Gunakan whitelist approach di backend untuk parameter yang diizinkan

} else {
settings.url += '&kode_kabupaten=' + identitasOpenkab + '&filter[kode_kabupaten]=' + identitasOpenkab;
}
}
});

$('.item-menu').each(function(i, obj) {
if ($(obj).attr('href') === window.location.pathname) {
selectedMenuObj = obj;
Expand All @@ -50,4 +61,4 @@
}
}
});
</script>
</script>
1 change: 1 addition & 0 deletions resources/views/layouts/web.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
<meta content="width=device-width, initial-scale=1.0" name="viewport">
<meta content="" name="keywords">
<meta content="" name="description">
<meta name="identitas-openkab" content="{{ str_replace('.','',$identitasAplikasi['kode_kabupaten'] ?? '') }}">
<base href="{{ route('web.index') }}" />
<!-- Favicon -->
<link href="{{ asset('web/img/logo.png') }}" rel="icon">
Expand Down
18 changes: 2 additions & 16 deletions resources/views/web/partials/property.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ class="fa fa-home text-primary me-2"></i>0
const urlDesaAktif = new URL(
"{{ config('app.databaseGabunganUrl') . '/api/v1/desa-aktif' }}");

$.get(urlDesaAktif, {}, function(result) {
$.get(urlDesaAktif+'?page[size]=6', {}, function(result) {
if (result.data.length > 0) {
let _elm
result.data.forEach((item, index) => {
Expand All @@ -71,21 +71,7 @@ class="fa fa-home text-primary me-2"></i>0
item.attributes.rtm + ' RTM')
})
}
}, 'json')
// $.get('{{ url('index.php/api/v1/desa-aktif') }}', {}, function(result){
// if (result.data.length > 0){
// let _elm
// result.data.forEach((item, index) => {
// _elm = $('.replace-content-property .kelurahan-item').eq(index)
// _elm.find('.nama-desa-elm').text(item.attributes.nama_desa)
// _elm.find('.website-elm').attr('href', item.attributes.website ?? '#')
// _elm.find('.penduduk-elm').html('<i class="fa fa-users text-primary me-2"></i>'+item.attributes.penduduk+ ' Penduduk')
// _elm.find('.alamat-elm').html('<i class="fa fa-map-marker-alt text-primary me-2"></i>'+(item.attributes.alamat ?? 'alamat belum ditentukan'))
// _elm.find('.keluarga-elm').html('<i class="fa fa-venus-mars text-primary me-2"></i>'+item.attributes.keluarga+ ' Keluarga')
// _elm.find('.rtm-elm').html('<i class="fa fa-home text-primary me-2"></i>'+item.attributes.rtm+ ' RTM')
// })
// }
// }, 'json')
}, 'json')
});
</script>
@endpush
Loading