Forum
Posts: 7
Oct 16th, 2015 - 08:08
http://kuro-rpg.net/?direct=forum&thread=65&count=1

I accidentially posted this with an empty everything. I was able to edit in some content, but no title. I think it's un-clickable from the board page.
[insert witty comment here]
Posts: 208
Oct 16th, 2015 - 17:04
Oh wow. Thank you for bringing this up. I need to do some work on the site, then.

I took care of the empty thread problem and removed it.

I was thinking for registered accounts, I could up the amount of javascript used to help deal with certain problems, like this one. For instance, I can set the submission form to only appear with javascript enabled and disable the 'complete' button at the start, unless you have some content in the post.

Would that work?
We are Kuro-RPG! Lower your firewalls and surrender your sites.

Posts: 7
Oct 17th, 2015 - 18:11
Javascript is probably a bad idea, it can always be disabled. You want to evaluate the content on POST to ensure that there is some content before adding it to the database.
[insert witty comment here]
Posts: 208
Oct 17th, 2015 - 18:55
For a casual browser, having javascript disabled will make no difference since it is not a necessity. However, for those who have accounts on the site, some javascript is necessary for some of the stuff to function properly, like submitting stuff. Buttons that handle submitting data can be disabled by default, and checks can be run to make sure you have sufficient post in a submission box before it gets uploaded. Still, I don't see a reason why both could not be handled.

At the moment I am tackling editors.

And just to let you know, I run script blockers everywhere as a precaution, so I can appreciate the concept of having javascript turned off. I know what I code is entirely local, since I don't source my code from anywhere, so there are no unknowns, no unwanted back doors, etc. If I have javascript on my site turned on, I know it's safe.
We are Kuro-RPG! Lower your firewalls and surrender your sites.

Posts: 7
Oct 19th, 2015 - 06:27
I'm saying that there are tools like Selenium that can modify form data outside of the constraints of the web browser. Javascript won't stop anyone from abusing this method. That's why it's best to evaluate the data on POST, after it's submitted to your server, because that way it's past the ability of anyone to modify it without your knowledge.

So, for example, let's assume your code takes the post form data and immediately creates a new topic entry in your database, populated with the form data. It shouldn't be too hard to do a null check on something like the Thread Name to ensure that it is not empty and prevent the site from being broken by unclickable topics.
[insert witty comment here]
Posts: 208
Oct 21st, 2015 - 16:38
I wouldn't use javascript to submit the data. That would still be handled on the server end (same with account permissions, etc.), but I guess you are describing an issue where a Selenium user can overwrite the settings for the checks to make sure the fields are full.

At the moment, all sections that use a submission form submit to a 'universal' script I set up where all the potential data it would handle and go from there. Somehow I would need to plug-in something where it is supposed to check for specific fields and return a negative value if the checks fail. It's already done for the few scripts which do not run through the universal script, like Contact, Registration, etc.
We are Kuro-RPG! Lower your firewalls and surrender your sites.

Posts: 7
Oct 24th, 2015 - 18:36
Yep, that's probably exactly what needs to be done.
[insert witty comment here]