Security questions

Help & questions

Sorunome

2 months ago

Since i just noticed how easily JS injection is over here... https://gamebuino.com/community/topic/website-bug-reports-requests?page=1

I gotta wonder: what kind of security is there currently? To prevent JS injection i'd recommend to add a whitelist of allowed HTML tags. If you are using PHP, it has a built-in function for that! https://secure.php.net/manual/en/function.strip-tags.php Other languages probably have similar

And, on the topic of security, how are passwords being hashed? I'm curious because there are many ways to do it wrongand oh-too-many big companies and thelike also do it wrong....

Rodot

NEW 2 months ago

Okay so the website is made using Laravel, and the whole website is protected against XSS injections using blade templates {{ }}

https://laravel.com/docs/5.4/blade#displaying-data

Except for the forum, where he left a {!!} to go faster as it was maybe interfering with other things (like emotes). But it's going to be fixed as it was just a placeholder solution.

Laravel's encrypter uses OpenSSL to provide AES-256 and AES-128 encryption. You are strongly encouraged to use Laravel's built-in encryption facilities and not attempt to roll your own "home grown" encryption algorithms. All of Laravel's encrypted values are signed using a message authentication code (MAC) so that their underlying value can not be modified once encrypted.

https://laravel.com/docs/5.4/encryption

Plus login cookies and passwords are hashed.

https://laravel.com/docs/5.4/hashing

Sorunome

NEW 2 months ago

Okay, that sounds great! And, if you use lavarels hashing for passwords (which i'll assume at this point) then everything is good to go and my worries have been resolved. Thank you!

EDIT: you just edited your post to say the pwds are hashed with that, great!

You must be logged in in order to post a message on the forum

Log in