Authors who seek to help me and not criticize me.

Zhareiv · September 19, 2020, 10:59pm

Hello folks on this Envato forum, could you help me with a little something?

I will briefly tell you the problem: I have been trying to upload an article for approximately 4 months, in those same 4 months, Envato makes the same observations to me, with the list of errors or points that they want me to change. In these 4 months it remains exactly the same, without changes. Despite the modifications that I make to my code.

What I ask Envato to explain is where I’m wrong, so I can focus on that mistake, but Envato sends me the exact same list again, without any changes.

This does not seem fair to me as I am correcting blindly. I would like you to tell me what I need to correct specifically. More again I receive the same list with the same observations.

That doesn’t seem fair to me so I ask for your help to help me go through my script code and find the error.

I ask you to download this file, do not worry, as the author and creator of it, I give you the permission to download this code.

Don’t suppress errors: https://envato.d.pr/l0Tp79
Remove all unused code: https://envato.d.pr/pxPs4fhttps://envato.d.pr/v10JO1
Keep libraries up-to-date, and don’t load from CDN: https://envato.d.pr/EMoI2X
Sanitize all input data: https://envato.d.pr/tRpfBW
All JavaScript should be written with “use strict” mode on.
For example, you can do this with jQuery as follows:
(function($) { “use strict”; // Author code here })(jQuery);
Use .on() rather than .click(), .bind(), .hover(), .submit() etc… https://envato.d.pr/6Q9kKv
md5() is cryptographically broken and should not be used.
Data Validation issues have been found. Do a global search for “echo $”.
All dynamic data must be correctly escaped for the context where it is rendered.

baevox · September 20, 2020, 6:15am

Hello

1. Don’t suppress errors:
If You put an @ in front of your function call it will suppress all error messages (Remove all @)

2. Remove all unused code:
Remove all commented code

3. Keep libraries up-to-date, and don’t load from CDN:
Download latest version of jQuery & other libraries on your local machine and include it in your HTML code.

4. Sanitize all input data:
Reference - https://www.php.net/manual/en/filter.filters.sanitize.php

6. Use .on() rather than .click(), .bind(), .hover(), .submit()
Try this

$(’.elementClass’).on(‘click’, function() {
});

7. md5() is cryptographically broken and should not be used.
For signing documents, sha2 (e. g. sha512) is considered secure. For storing passwords, you should use one of the algorithms dedicated for this purpose: e. g. bcrypt, sha512crypt or scrypt. In order to slow down an attacker, these algorithms apply the hash functions many times with an input that is based on the number of the current round.

8. Data Validation issues have been found. Do a global search for “echo $”.
All dynamic data must be correctly escaped for the context where it is rendered.
Try echo htmlspecialchars($variable);

Zhareiv · September 22, 2020, 10:21pm

Sorry for the delay and thanks for your explanation.
The problem is that this is not in my code, the 8 observations that you are making to me, just like the Envato team, I understand them perfectly. I would like you to please look at my code and look for those errors. Since my code is clean, but that’s the problem.
I’m not saying this in a rude way, but I would like you to take a look at the code and then leave your opinion.

Thank you.

NextLoop · September 24, 2020, 2:28am

Just from a quick look, you should remove inline javascript. Place all javascript code in .js files

Also the javascript you have used in these example files, is not in strict mode, as per the reviewers coment.

themes\default\layout\template\home.php
themes\default\layout\template\footer.php

The reviewer also said you should not use md5() function. You have it in this file

application\system\core\image.php

You are echoing data without escaping it. It may very well be that you are sanitizing it when you save it in the database, but when the reviewer sees a line like the one below, it seems unsafe because you are not escaping it in anyway. if you were using a template engine like blade and you had {{ $value[‘foobar’] }} it would be known that the double curly brackets are properly protecting from xss by using converting any html tags

echo $value[‘foobar’];
admin-panel\pages\server\content.php (line:116)

you could perhaps do this, as per the reviewers suggestions

echo htmlspecialchars($value[‘foobar’]);

I know its difficult, as I am in the same boat as you right now. I am also having to check my code line by line, to ensure all items raised have been resolved