Laravel XSS protection - Soft Rejection

NextLoop · November 6, 2020, 1:10pm

I was given a list of items to fix. I subsequently went through my entire application to address each issue. I resubmitted but have been rejected again,

Can someone please tell me if I have missed something (as the reviewer did not provide further/exact reason (they said some of the issues raised have not been resolved)

I am having to make assumptions

Rejection Point (1)

Outputting unescaped data is a potential XSS risk. You should only output data that you expect, or need. For example, with Laravel and Blade, you can use this package: https://github.com/mewebstudio/Purifier which allows you to pass an array of allowed HTML

My Action

I added Purifier to all instances where I am outputting unescaped data
{!! clean($foo_bar) !!}
All other data is being displayed using double {{ $foo_bar }} 
which according to laravel documentation, already protects from XSS by converting
to htmlspecial charectors

Rejection Point (2)

Don’t use @import, it prevents parallel downloads

My Action

I have removed all reference to @import. Searching my whole application, 
there is no longer any instance of this

Rejection Point (3)

Don’t ship old libraries

My Action

I have updated all third party libraries (bootstrap, jquery etc)

Rejection Point (4)

All JavaScript should be written with “use strict” mode on

My Action

I have added "Use Strict** at the very top of every single javascript file.

// This is just a comment at the top of my js file. It will be disregarded

"use strict"

 //my code here

Rejection 5

No inline scripts or styles unless dynamic:

My Action

I removed al < style > tags inside my HTML elements
I also removed all javascript code (However I am thinking this is where
the issue may be). 
I replace the raw javascript code with a reference to a js file.

The links are however not in the footer but I have them with the HTML,
where they are needed (like in a dynamic modal window). Could this be the issue…is this still viewed an inline javascript, even though its a link to a js file?

These were the points raised at the last rejection. I then fixed them and indicated this point by point in my resubmission

I am now very worried about having my author account suspended (the reviewer mentioned this could happen)

I don’t know what to do now, as I am not even sure what I an said to not have fixed

If by some chance, the reviewer on my submission so happens to read this post 
(please point me in the right direction, I would really appreciate it)

… I am so confused right now

LabNetwork · November 6, 2020, 6:53pm

I love Envato, both to sell and to buy, they have always improved, but one point I think I recommend is to never give clear explanations and to leave producers who often spend weeks if not months planning a product is really disappointing. I would recommend the reasons better.

I am having the same problem these days, I have had your exact reasons, I am trying to fix it but I never have anything too clear and being told that my account may be restricted, just because I am trying to improve a product and therefore resolve, this too is really disappointing and not very motivating.

NextLoop · November 7, 2020, 5:33am

I agree. I think the system needs to have a check list type rejection system. Where the reviewer checks/ticks the items resolved and that way, you know what is still to be resolved or what you may have missed.

It would really help the authors a lot. I appreciate that the standards have to be held high, its what make the market place great. It’s just that we could do with a little help to get things approved.

NextLoop · November 7, 2020, 7:59am

Can any reviewers or other forum members please advise if there is any need to sanitize Laravel blade data that is inside double curly brackets?

{{ $foo->$bar }}

or do I still need to do this

{{ clean($foo->$bar }}

It seems overkill to me because no XSS exploit is possible when using the double curly brackets, as any markup is converted to htmlspecical character

also, is this accceptabe usage of inline < script > when setting dyamica language that you will use inside your javascript files.I can not see any other way to pass laravel variable which are going to be used by javascript files

< head >
  < script > 
       lang = {};
       lang.hello_world = "{{ clean(__('lang.hello_world')) }}";
   < /script >
< /head >

I appreciate any advise on these issues before I resubmit my file.

izero · December 13, 2020, 2:33am

Who is your reviewer? It looks like LoveThemes.

SmartSoftSolutions · December 16, 2020, 8:13pm

How to know who is my reviewer @izero ?

NextLoop · December 17, 2020, 5:56pm

My file has since been accepted. Thanks for all that helped

izero · December 17, 2020, 9:49pm

On history tab on your item.