7 years ago
Since i just noticed how easily JS injection is over here... https://gamebuino.com/community/topic/website-bug-reports-requests?page=1
I gotta wonder: what kind of security is there currently? To prevent JS injection i'd recommend to add a whitelist of allowed HTML tags. If you are using PHP, it has a built-in function for that! https://secure.php.net/manual/en/function.strip-tags.php Other languages probably have similar
And, on the topic of security, how are passwords being hashed? I'm curious because there are many ways to do it wrongand oh-too-many big companies and thelike also do it wrong....
NEW 7 years ago
Okay so the website is made using Laravel, and the whole website is protected against XSS injections using blade templates {{ }}
https://laravel.com/docs/5.4/blade#displaying-data
Except for the forum, where he left a {!!} to go faster as it was maybe interfering with other things (like emotes). But it's going to be fixed as it was just a placeholder solution.
Laravel's encrypter uses OpenSSL to provide AES-256 and AES-128 encryption. You are strongly encouraged to use Laravel's built-in encryption facilities and not attempt to roll your own "home grown" encryption algorithms. All of Laravel's encrypted values are signed using a message authentication code (MAC) so that their underlying value can not be modified once encrypted.
https://laravel.com/docs/5.4/encryption
Plus login cookies and passwords are hashed.
NEW 7 years ago
Okay, that sounds great! And, if you use lavarels hashing for passwords (which i'll assume at this point) then everything is good to go and my worries have been resolved. Thank you!
EDIT: you just edited your post to say the pwds are hashed with that, great!