Following on my previous post, I did some more poking around the PureQML code as an initial stage towards vetting whether it is a suitable and/or trustworthy codebase to build any projects with.
Here are some observations I've made regarding things I'd want to fork + hack the codebase to do before I did anything more serious with it. I thought I'd post these here in case I lost the file I kept these notes in when I came back to try to work on this later (and also for anyone else considering using this)
DISCLAIMER: I still don't know all that much about this project, so some of these may be able to be fully disabled + fixed in ways that I haven't found yet.
EDIT 2025/04/25:
* Have forked the pureqml/qmlcore repo with these changes to
https://github.com/Aligorith/pureqml_qmlcore/tree/PureQML-Clean
* Added "Issue 5" below
From the Default Template Project + Autogenerated Code
1) The following "fingerprint" crap has to go:
```
//=====[import web.device]=====================
var Device = function(ui) {
var context = ui._context
if ($manifest$system$fingerprint) {
var fingerprint = new $html5.fingerprint.fingerprint.Fingerprint()
context.backend.fingerprint(context, fingerprint)
ui.deviceId = fingerprint.finalize()
log("deviceId", ui.deviceId)
} else {
var deviceString = context.system.os + "_" + context.system.browser
deviceString = deviceString.replace(/\s/g, '')
ui.deviceId = deviceString + "_" + Math.random().toString(36).substr(2, 9)
}
}
```
This too:
```
exports.fingerprint = function(ctx, fingerprint) {
var html = exports
try {
var fcanvas = html.createElement(ctx, 'canvas')
var w = 2000, h = 32
fcanvas.dom.width = w
fcanvas.dom.height = h
var txt = "ABCDEFGHIJKLMNOPQRSTUVWXYZ /0123456789 abcdefghijklmnopqrstuvwxyz £©µÀÆÖÞßéöÿ –—‘“”„†•…‰™œŠŸž€ ΑΒΓΔΩαβγδω АБВГДабвгд ∀∂∈ℝ∧∪≡∞ ↑↗↨↻⇣ ┐┼╔╘░►☺♀ fi�⑀₂ἠḂӥẄɐː⍎אԱა"
var fctx = fcanvas.dom.getContext('2d')
fctx.textBaseline = "top";
fctx.font = "20px 'Arial'";
fctx.textBaseline = "alphabetic";
fctx.fillStyle = "#fedcba";
fctx.fillRect(0, 0, w, h);
fctx.fillStyle = "#12345678";
fctx.fillText(txt, 1.5, 23.5, w);
fctx.font = "19.5px 'Arial'";
fctx.fillStyle = "#789abcde";
fctx.fillText(txt, 1, 22, w);
fingerprint.update(fcanvas.dom.toDataURL())
} catch(ex) {
log('canvas test failed: ' + ex)
}
try { fingerprint.update(window.navigator.userAgent) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.plugins) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.mimeTypes) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.language) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.platform) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.product) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.productSub) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.vendorSub) } catch (ex) { log(ex) }
try { fingerprint.update(window.navigator.hardwareConcurrency) } catch (ex) { log(ex) }
try { fingerprint.update(window.screen.availWidth) } catch (ex) { log(ex) }
try { fingerprint.update(window.screen.availHeight) } catch (ex) { log(ex) }
try { fingerprint.update(window.screen.colorDepth) } catch (ex) { log(ex) }
}
```
2) So too the "Video Player" functionality - That should not be in the core library, but rather, as a plugin for video playback
3) There's an open XSS bug on their bug tracker - https://github.com/pureqml/qmlcore/issues/67
4) Location API - Again, maybe needed for some apps, but it really shouldn't have lots of invasive stuff like this built in by default
5) Google Tags / Analytics tracking garbage - I can't seem to figure out what is adding to the generated output, but it would be good if we could turn it off!
```
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-[REDACTED]"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-[REDACTED]');
</script>
```
From the Actual QML / UI Building Side
Having checked the "UI widgets" repo (which sits alongside the core one, but has to be separately downloaded), IMO:
1) There are massive gaps in the set of widgets provided. A whole bunch of important stuff is not there
2) There is also a whole bunch of crap / cruft that most projects wouldn't want either
3) Of the useful ones that are implemented, IIRC the sliders look rather ugly, and a bunch of other things were not that well built...
In other words: If I were to use something like this, I'd have to commit to building the full UI toolkit myself (which isn't too much of a step from what I was going to do eventually on one of my projects, but it certainly isn't something I'd recommend if you're just trying to have something to use for another project)
From the Compiler Internals
Unfortunately, I haven't had time to fully deep-dive into and take that apart yet, other than that it's quite a dense web of regexes that are not written in a way that makes them easy to extend or debug.
Maybe after fixing the critical issues above (*if* I get around to doing that), I can have a better feel for commenting on this.
No comments:
Post a Comment