Hello folks on this Envato forum, could you help me with a little something?
I will briefly tell you the problem: I have been trying to upload an article for approximately 4 months, in those same 4 months, Envato makes the same observations to me, with the list of errors or points that they want me to change. In these 4 months it remains exactly the same, without changes. Despite the modifications that I make to my code.
What I ask Envato to explain is where I’m wrong, so I can focus on that mistake, but Envato sends me the exact same list again, without any changes.
This does not seem fair to me as I am correcting blindly. I would like you to tell me what I need to correct specifically. More again I receive the same list with the same observations.
That doesn’t seem fair to me so I ask for your help to help me go through my script code and find the error.
I ask you to download this file, do not worry, as the author and creator of it, I give you the permission to download this code.
All JavaScript should be written with “use strict” mode on.
For example, you can do this with jQuery as follows:
(function($) { “use strict”; // Author code here })(jQuery);
md5() is cryptographically broken and should not be used.
Data Validation issues have been found. Do a global search for “echo $”.
All dynamic data must be correctly escaped for the context where it is rendered.
1. Don’t suppress errors:
If You put an @ in front of your function call it will suppress all error messages (Remove all @)
2. Remove all unused code:
Remove all commented code
3. Keep libraries up-to-date, and don’t load from CDN:
Download latest version of jQuery & other libraries on your local machine and include it in your HTML code.
6. Use .on() rather than .click(), .bind(), .hover(), .submit()
Try this
$(’.elementClass’).on(‘click’, function() {
});
7. md5() is cryptographically broken and should not be used.
For signing documents, sha2 (e. g. sha512) is considered secure. For storing passwords, you should use one of the algorithms dedicated for this purpose: e. g. bcrypt, sha512crypt or scrypt. In order to slow down an attacker, these algorithms apply the hash functions many times with an input that is based on the number of the current round.
8. Data Validation issues have been found. Do a global search for “echo $”. All dynamic data must be correctly escaped for the context where it is rendered.
Try echo htmlspecialchars($variable);
Sorry for the delay and thanks for your explanation.
The problem is that this is not in my code, the 8 observations that you are making to me, just like the Envato team, I understand them perfectly. I would like you to please look at my code and look for those errors. Since my code is clean, but that’s the problem.
I’m not saying this in a rude way, but I would like you to take a look at the code and then leave your opinion.
The reviewer also said you should not use md5() function. You have it in this file
application\system\core\image.php
You are echoing data without escaping it. It may very well be that you are sanitizing it when you save it in the database, but when the reviewer sees a line like the one below, it seems unsafe because you are not escaping it in anyway. if you were using a template engine like blade and you had {{ $value[‘foobar’] }} it would be known that the double curly brackets are properly protecting from xss by using converting any html tags
you could perhaps do this, as per the reviewers suggestions
echo htmlspecialchars($value[‘foobar’]);
I know its difficult, as I am in the same boat as you right now. I am also having to check my code line by line, to ensure all items raised have been resolved
