Skip to content

penambahan kolom penggunaan tema di laporan desa #653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vickyrolanda merged 6 commits into from
Apr 15, 2026
Merged

penambahan kolom penggunaan tema di laporan desa #653

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bb55d23
Merge remote-tracking branch 'origin/rilis-dev' into dev-535
pandigresik Apr 7, 2026
5e12577
penambahan kolom penggunaan tema di laporan desa
pandigresik Apr 7, 2026
1a3fdd1
Merge branch 'rilis-dev' into dev-646
vickyrolanda Apr 15, 2026
8a56b4a
perbaikan test
pandigresik Apr 15, 2026
6f04580
Merge branch 'rilis-dev' into dev-646
vickyrolanda Apr 15, 2026
5eb8815
[ci skip] memutahirkan catatan rilis
vickyrolanda Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion app/Http/Controllers/LaporanController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
use App\Models\Desa;
use App\Models\Scopes\RegionAccessScope;
use App\Services\SebutanDesaService;
use App\Services\TemaService;
use Illuminate\Http\Request;
use Maatwebsite\Excel\Facades\Excel;
use Yajra\DataTables\Facades\DataTables;
Expand Down Expand Up @@ -44,6 +45,7 @@ public function desa(Request $request)
'tipe_pengguna' => $request->tipe_pengguna,
'layanan' => $request->layanan,
'sebutan_desa' => $request->sebutan_desa,
'tema' => $request->tema
];
$hiddenColumns = [];
$adminWilayah = auth()->check() && auth()->user()->isAdminWilayah();
Expand Down Expand Up @@ -84,7 +86,8 @@ public function desa(Request $request)
->make(true);
}
$sebutanDesaList = (new SebutanDesaService())->getSebutanDesaList();
return view('laporan.desa', compact('fillters', 'hiddenColumns', 'sebutanDesaList'));
$temaList = (new TemaService())->getList();
return view('laporan.desa', compact('fillters', 'hiddenColumns', 'sebutanDesaList', 'temaList'));
}

public function deleteDesa(Desa $desa)
Expand Down
3 changes: 3 additions & 0 deletions app/Models/Desa.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -405,6 +405,7 @@ public function scopeFillter($query, array $fillters)
'tipe_pengguna' => null,
'layanan' => null,
'sebutan_desa' => null,
'tema' => null,
], $fillters);

return $query->select(['*'])
Expand Down Expand Up @@ -474,6 +475,8 @@ public function scopeFillter($query, array $fillters)
})
->when($fillters['sebutan_desa'], function ($query, $sebutanDesa) {
$query->sebutanDesa($sebutanDesa);
})->when($fillters['tema'], function ($query, $tema) {
$query->where('tema',$tema);
});
}

Expand Down
3 changes: 1 addition & 2 deletions app/Services/SebutanDesaService.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,7 @@
use App\Models\Desa;
use Illuminate\Support\Facades\Cache;

class
SebutanDesaService
class SebutanDesaService
{
/**
* Cache key for sebutan desa list.
Expand Down
49 changes: 49 additions & 0 deletions app/Services/TemaService.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
<?php

namespace App\Services;

use App\Models\Desa;
use Illuminate\Support\Facades\Cache;

class TemaService
{
/**
* Cache key for sebutan desa list.
*/
private const CACHE_KEY = 'tema_list';

/**
* Cache duration in hours.
*/
private const CACHE_DURATION_HOURS = 24;

/**
* Get all unique sebutan desa values from database.
*
* @return array<string>
*/
public function getList(): array
Copy link
Copy Markdown

@devopsopendesa devopsopendesa Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] 🔒 Security: Potensi Double Encoding pada Output Tema

Masalah:
Data tema dari database di-encode dengan htmlspecialchars() di service layer, kemudian di-output lagi di Blade view dengan {{ }} yang juga melakukan HTML escaping. Ini menyebabkan double encoding yang bisa membuat karakter khusus ditampilkan sebagai entity HTML (contoh: &amp; menjadi &amp;amp;).

Kode:

->map(function ($tema) {
    return [
        'id' => htmlspecialchars($tema, ENT_QUOTES, 'UTF-8'),
        'text' => htmlspecialchars($tema, ENT_QUOTES, 'UTF-8'),
    ];
})

Risiko:

  • Severity: MEDIUM - Tidak menyebabkan kerentanan keamanan langsung, tetapi:
    • Jika tema mengandung karakter seperti &, <, >, ", ' akan ditampilkan sebagai HTML entities (&amp;, &lt;, dll) di UI
    • User experience terganggu karena nama tema tidak ditampilkan dengan benar
    • Inkonsistensi data antara yang tersimpan di database vs yang ditampilkan
    • Potensi bug di masa depan jika developer lain tidak aware tentang double encoding ini

Contoh Dampak:
Jika ada tema bernama "Tema A & B" di database:

  1. Service encode: "Tema A &amp; B"
  2. Blade encode lagi: "Tema A &amp;amp; B"
  3. User melihat: "Tema A &amp; B" (salah tampilan)

PoC (Chrome Console):

// Simulasi untuk melihat dampak double encoding
// Jalankan di Chrome DevTools Console (F12 → Console)

// 1. Buat tema dengan karakter khusus di database (via SQL atau seeder)
// INSERT INTO desa (nama, tema) VALUES ('Test Desa', 'Tema "Modern" & Responsive');

// 2. Akses halaman laporan desa
// window.location.href = '/laporan/desa';

// 3. Inspect dropdown tema di DevTools Elements tab
// Cari <select id="tema"> dan lihat <option> values

// 4. Verifikasi double encoding dengan JavaScript
const temaDropdown = document.getElementById('tema');
if (temaDropdown) {
    const options = Array.from(temaDropdown.options);
    options.forEach(opt => {
        if (opt.value.includes('&amp;') || opt.text.includes('&amp;')) {
            console.warn('⚠️ Double encoding detected!');
            console.log('Value:', opt.value);
            console.log('Text:', opt.text);
            console.log('Expected:', opt.value.replace(/&amp;/g, '&'));
        }
    });
} else {
    console.log('Tema dropdown not found on this page');
}

// 5. Test filter dengan tema yang ter-encode
// Pilih tema yang mengandung karakter khusus dan submit form
document.getElementById('form-filter').addEventListener('submit', function(e) {
    const selectedTema = document.getElementById('tema').value;
    console.log('Selected tema value:', selectedTema);
    console.log('Will be sent to server as:', encodeURIComponent(selectedTema));
});

Fix:
Hapus htmlspecialchars() dari service layer karena Blade sudah melakukan auto-escaping. Biarkan Blade yang handle output escaping:

// app/Services/TemaService.php
public function getList(): array
{
    return Cache::remember('tema_list', now()->addDay(), function () {
        return Desa::select('tema')
            ->distinct()
            ->whereNotNull('tema')
            ->where('tema', '!=', '')
            ->orderBy('tema')
            ->pluck('tema')
            ->map(function ($tema) {
                return [
                    'id' => $tema,      // Hapus htmlspecialchars()
                    'text' => $tema,    // Hapus htmlspecialchars()
                ];
            })
            ->toArray();
    });
}

Penjelasan Fix:

  • Blade {{ }} syntax sudah otomatis melakukan htmlspecialchars() saat rendering
  • Dengan menghapus encoding di service layer, kita menghindari double encoding
  • Data tetap aman dari XSS karena Blade escaping
  • Jika butuh raw output, gunakan {!! !!} (tapi tidak disarankan untuk user input)

Catatan Tambahan:

  • Jika ada kebutuhan khusus untuk pre-encode data (misalnya untuk API JSON response), pertimbangkan membuat method terpisah getListForApi() yang melakukan encoding
  • Untuk consistency, terapkan pattern yang sama di SebutanDesaService.php yang juga melakukan hal serupa

Copy link
Copy Markdown
Collaborator Author

@pandigresik pandigresik Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sudah mengikuti saran dari PR sebelumnya #649 (comment), jadi tetap gunakan htmlspecialchars

{
return Cache::remember(self::CACHE_KEY, now()->addDay(), function () {
$data = Desa::select('tema')->whereNotNull('tema')
->distinct()
->pluck('tema', 'tema')
->toArray();

// Sanitize setiap value untuk mencegah XSS
return array_map(function ($value) {
return htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
}, $data);
});
}

/**
* Clear the sebutan desa cache.
*
* @return bool
*/
public function clearCache(): bool
{
return Cache::forget(self::CACHE_KEY);
}
}
1 change: 1 addition & 0 deletions catatan_rilis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Di rilis v2604.0.0 berisi perbaikan yang diminta Komunitas Open Desa.
2. [#614](https://github.com/OpenSID/pantau/issues/614) Penyesuaian jumlah desa aktif.
3. [#636](https://github.com/OpenSID/pantau/issues/636) Penambahan filter tipe pengguna & kolom tema di laporan desa.
4. [#535](https://github.com/OpenSID/pantau/issues/535) Penambahan label kolom pengguna Dasbor SiapPakai atau Lisensi Premium.
5. [#646](https://github.com/OpenSID/pantau/issues/646) Penambahan kolom penggunaan tema di laporan desa.

#### Perbaikan Bug

Expand Down
2 changes: 2 additions & 0 deletions resources/views/laporan/desa.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@
const $akses = $('#akses');
const $layanan = $('#layanan');
const $sebutanDesa = $('#sebutan_desa');
const $tema = $('#tema');

switch (params.get('status')) {
case '1':
Expand Down Expand Up @@ -169,6 +170,7 @@
data.sebutan_desa = $sebutanDesa.val();
data.versi_lokal = params.get('versi_lokal');
data.versi_hosting = params.get('versi_hosting');
data.tema = $tema.val();
},
error: function(xhr, error, thrown) {
console.error('Error loading desa data:', error, thrown);
Expand Down
29 changes: 29 additions & 0 deletions resources/views/layouts/components/form_filter.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,21 @@
</div>
@endif

@if (array_key_exists('tema', $fillters))
<div class="col-sm">
<div class="form-group">
<label>Tema</label>
<select class="select2 form-control-sm" id="tema" name="tema"
data-placeholder="Semua Tema" style="width: 100%;">
<option selected value="">Semua Tema</option>
@foreach((isset($temaList) ? $temaList : []) as $tema)
<option value="{{ $tema }}">{{ $tema }}</option>
@endforeach
</select>
</div>
</div>
@endif

@if (array_key_exists('akses_mobile', $fillters))
<div class="col-sm">
<div class="form-group">
Expand Down Expand Up @@ -244,3 +259,17 @@ class="fas fa-search"></span></button>
</div>
<hr class="mt-0">
</div>

@push('js')
<script>
$(document).ready(function(){
$('#status').select2();
$('#akses').select2();
$('#tte').select2();
$('#tipe_pengguna').select2();
$('#sebutan_desa').select2();
$('#layanan').select2();
$('#tema').select2();
});
</script>
@endpush()
7 changes: 1 addition & 6 deletions resources/views/layouts/components/select2_wilayah.blade.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,11 +172,6 @@
},
allowClear: true,
placeholder: 'Pilih Suku',
});

$('#status').select2();
$('#akses').select2();
$('#tte').select2();
$('#tipe_pengguna').select2();
});
</script>
@endpush()
2 changes: 1 addition & 1 deletion tests/Feature/Api/TrackControllerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,7 @@ public function handles_contact_information()
public function handles_theme_information()
{
// Get existing wilayah data for valid region codes
$wilayah = Wilayah::inRandomOrder()->first();
$wilayah = Wilayah::inRandomOrder()->whereNotNull('nama_desa')->first();
$this->assertNotNull($wilayah, 'No wilayah data found in region table');

$requestData = [
Expand Down