[QUOTE=Potatofactory;45477386]1) The XSS security is basically a filter to where your current steam username will be filtered of any code and just make it a plain string.[/QUOTE]
You're making it sound like a feature when it's a basic necessity.
[QUOTE=TrinityX;45477465]Don't even make music an option.[/QUOTE]
We do indeed actually have the option "no music" a tick box. We also have an option to pick your own YouTube playlist to replace the default music selection, along with a whole bunch of options regarding music in the loading screen. Here's a list:
• Volume Control
• No Audio Option
• Audio Cues (like sending client info...) to stop music
• Share Playlist Option
• View Time Option
• Loop/shuffle Option
• Playlist Control
[QUOTE=Potatofactory;45477616]We do indeed actually have the option "no music" a tick box. We also have an option to pick your own YouTube playlist to replace the default music selection, along with a whole bunch of options regarding music in the loading screen. Here's a list:
• Volume Control
• No Audio Option
• Audio Cues (like sending client info...) to stop music
• Share Playlist Option
• View Time Option
• Loop/shuffle Option
• Playlist Control[/QUOTE]
Clearly you didn't get my point, let me rephrase myself...
[I]Do not give anyone the option of putting music on their loading screen.[/I]
[QUOTE=Alternative Account;45477518]You're making it sound like a feature when it's a basic necessity.[/QUOTE]
I only said that because alot of servers don't exactly have XSS Protection. I tested this theory by going on multiple servers with HTML code in my name. 75% (6/8) of the servers didn't have XSS protection
[QUOTE=Potatofactory;45477648]I only said that because alot of servers don't exactly have XSS Protection. I tested this theory by going on multiple servers with HTML code in my name. 75% (6/8) of the servers didn't have XSS protection[/QUOTE]
Just because "others do it" doesn't mean it isn't the standard. You should ALWAYS escape all output that is generated by user input. Always. Again, it's not a feature for your project.
"New Toyota Aygo, with seatbelt".
[QUOTE=Cyberuben;45477671]Just because "others do it" doesn't mean it isn't the standard. You should ALWAYS escape all output that is generated by user input. Always. Again, it's not a feature for your project.
"New Toyota Aygo, with seatbelt".[/QUOTE]
They have a point. If 75% of cars didn't have seatbelts, Toyota sure as hell would advertise them.
Looking for freelance work, no matter how big or small. Please get in contact if interested, thanks!
[QUOTE=DrTaxi;45482586]They have a point. If 75% of cars didn't have seatbelts, Toyota sure as hell would advertise them.[/QUOTE]
But I still don't feel like XSS "protection" should be seen as a feature on a loading screen, posted by a person that doesn't even have more than 2 posts. (his first post was here, btw)
[QUOTE=Cyberuben;45484336]posted by a person that doesn't even have more than 2 posts. (his first post was here, btw)[/QUOTE]
What does that have to do with anything?
[QUOTE=horsedrowner;45484343]What does that have to do with anything?[/QUOTE]
He joins this forum to show off his loading screen, featuring XSS protection as if it's something special when it comes to webdev, then lectures us about how we should all use it without even bothering to look at the things we posts and assume we don't know those trivial things.
[QUOTE=DrTaxi;45482586]They have a point. If 75% of cars didn't have seatbelts, Toyota sure as hell would advertise them.[/QUOTE]
75% out of a sample population of 8. a++++++++++
[QUOTE=Cyberuben;45484336]But I still don't feel like XSS "protection" should be seen as a feature on a loading screen, posted by a person that doesn't even have more than 2 posts. (his first post was here, btw)[/QUOTE]
Post elitism.
If he had posted the same thing with 5000 posts would you say the same thing? If yes then why mention it, if no then why does it matter.
I think he has a point. If his competition isn't doing it then why not use it to advertise.
He could cut out his fancy xss php stuff and replace
[code]
document.getElementById("username").innerHTML = name;[/code]
with
[code]document.getElementById("username").appendChild(document.createTextNode(name))[/code]
And not bother about botched homemade xss solutions since textnodes can't have elements in them.
+ its less work for the server than a bunch of regex.
[QUOTE=mdeceiver79;45484684]Post elitism.
If he had posted the same thing with 5000 posts would you say the same thing? If yes then why mention it, if no then why does it matter.
I think he has a point. If his competition isn't doing it then why not use it to advertise.
He could cut out his fancy xss php stuff and replace
[code]
document.getElementById("username").innerHTML = name;[/code]
with
[code]document.getElementById("username").appendChild(document.createTextNode(name))[/code]
And not bother about botched homemade xss solutions since textnodes can't have elements in them.
+ its less work for the server than a bunch of regex.[/QUOTE]
Would this work to avoid quotes screwing up variables, too?
Like, if I have var1 = 'Joe's potatoes';
would it automatically escape that ' so that it doesn't break the string?
[QUOTE=mdeceiver79;45484684]He could cut out his fancy xss php stuff and replace
[code]
document.getElementById("username").innerHTML = name;[/code]
with
[code]document.getElementById("username").appendChild(document.createTextNode(name))[/code]
And not bother about botched homemade xss solutions since textnodes can't have elements in them.
+ its less work for the server than a bunch of regex.[/QUOTE]
I doubt you have to worry about the performance of htmlspecialchars() this much to replace it with javascript.
-edit-
It is not even "Fancy XSS stuff". It's one function. big deal.
[QUOTE=mdeceiver79;45484684]Post elitism.
If he had posted the same thing with 5000 posts would you say the same thing? If yes then why mention it, if no then why does it matter.
I think he has a point. If his competition isn't doing it then why not use it to advertise. [/QUOTE]
That makes no sense btw. I assume that someone with 5000 posts would at least look at what kind of things are posted here in WAYWO and realise that we are not a bunch of dumb people who happen to know how to make things look pretty with HTML. We do actually know what we're doing, would have taken him just 2 or 3 pages of WAYWO to find that out.
[QUOTE=Cyberuben;45484743]
That makes no sense btw. I assume that someone with 5000 posts would at least look at what kind of things are posted here in WAYWO and realise that we are not a bunch of dumb people who happen to know how to make things look pretty with HTML. We do actually know what we're doing, would have taken him just 2 or 3 pages of WAYWO to find that out.[/QUOTE]
Zing was for first part. I disagree with the second part since it doesn't accommodate for users who lurk here, some possibly for years.
I've not seen much discussion about xss in this thread for a good while, it is mostly people showing off portfolio pages and/or bootstrap creations.
Uh thanks for reminding me of xss for my upcoming project, only thought of csrf until now
[QUOTE=Silentfood;45474795]I saw some guy in programming WAYWO [URL="http://facepunch.com/showthread.php?t=1405898&p=45455690&viewfull=1#post45455690"]working on an application[/URL] that syncs a movie and streams it to a friend so you can watch it at the same time. I've spent the last few days trying to make the same idea but built into the browser, it's come along alright so far.
[t]http://up.nlan.org/R.jpg[/t]
[URL]http://nlan.org/testing/[/URL]
That being the code behind it is shit and piss, from what I've tested so far it's working as planned. I think there's some lag issues due to the bad code behind the video, but I'm slowly refining it. It uses (somewhat) p2p to stream mp4's to multiple connected clients upon someone who acts as a "host". The audio is streamed through as standard audio media, but I was not too sure on how to process the video tag as a stream that wouldn't affect the player controls. So it paints to a canvas which is bad in many ways, but it's pulling it off through jpeg to speed it up.[/QUOTE]
does this only stream to one friend?
i've been thinking about doing something like this, except each person has the video file and it just syncs the time between everyone - avoids lag and shit quality. i dunno
[QUOTE=Gravy;45485482]does this only stream to one friend?
i've been thinking about doing something like this, except each person has the video file and it just syncs the time between everyone - avoids lag and shit quality. i dunno[/QUOTE]
it streams to multiple people, it just depends how much bandwidth you can take. you could do the video file ideas you were saying, but problems arise when you seek a video half way and the player takes 1-2 seconds trying to buffer the data to only be seeked again because it's behind.
i did trail with the idea with youtube, it worked in a sense but the buffer issue i mentioned made it unplayable in some cases
Working on a simple file upload using [URL=http://flask.pocoo.org]Flask[/URL]. Currently got flashes working, as well as some basic file information. Not planning to actually save the file with this, as this is just practice. Eventually going to work on a system where I can upload my completed freelance jobs for clients to download.
[IMG]http://i.imgur.com/f4vECnu.png[/IMG]
Even draw a little favicon in gimp [IMG]http://i.imgur.com/Ra4DQBB.png[/IMG].
[editline]25th July 2014[/editline]
[QUOTE=Silentfood;45489965]it streams to multiple people, it just depends how much bandwidth you can take. you could do the video file ideas you were saying, but problems arise when you seek a video half way and the player takes 1-2 seconds trying to buffer the data to only be seeked again because it's behind.
i did trail with the idea with youtube, it worked in a sense but the buffer issue i mentioned made it unplayable in some cases[/QUOTE]
To get around the buffering issue, you'd have to pause the non-buffering clients until they are all ready, creating an extremely unpleasant experience for people with good internet.
How's it look?
[URL=http://attritiongame.com/login][img_thumb]http://i.minus.com/jEj42vFwIAdEA.png[/img_thumb][/URL]
[URL=http://attritiongame.com/register][img_thumb]http://i.minus.com/iV1FTT6X2JYiX.png[/img_thumb][/URL]
[URL=http://attritiongame.com/irc][img_thumb]http://i.minus.com/idITsr37X0C0M.png[/img_thumb][/URL]
URLs to these pages because the bb code doesn't work with thumbs:
[url]http://attritiongame.com/login[/url]
[url]http://attritiongame.com/register[/url]
[url]http://attritiongame.com/irc[/url]
Looks really nice, but I have a few issues with it. (It might just be me and it still looks really good! Just thought I'd let you know my first thoughts).
There isn't really 'consistency' with the input bars.
I feel that they're too wide on logging in, the username is typically no more than 15 characters long, yet your input looks like it could hold a small story.
The next page has the input boxes at 50%, which looks so much better.
Then the third page, has it central and around 25% width.
I think it would look better with username and password at 25% each and central to log in.
Also it might just be preference but I can't help shake that I feel it should be 'Retrieve Account | Register | Log in' (swap retrieve account and log in) as you usually see at the end of a form the action (submit) button is on the right and below. (whether it be 'next', 'report', 'submit', 'login' etc).
[QUOTE=Gravy;45485482]does this only stream to one friend?
i've been thinking about doing something like this, except each person has the video file and it just syncs the time between everyone - avoids lag and shit quality. i dunno[/QUOTE]
I am working on it (the program he mentioned). Converting it over to WPF currently (allows me to customize the look a lot nicer) and having some issues, but its getting there.
[url]http://facepunch.com/showthread.php?t=1405898&p=45455690&viewfull=1#post45455690[/url]
I will hopefully have some kind of 'beta' soon. As I do plan on releasing the program.
For files all users have to have the file. Making it so when you connect to a server it tells you which file is currently being played and asks you to load the same file.
I do plan for people to sync youtube videos, and music and everything really.
As for what Silentfood said about syncing the time, it isn't that crazy hard to do.
I'm organising a hackathon with my university entrepreneurship society, need to make a sign up page. what do you think of this? [url]http://speedsums.com/hackathon/[/url]
Also, if you're currently a university student in the UK then you should totally come
[QUOTE=BeatAlex;45496073]Words.[/QUOTE]
Thanks for the feedback, it was helpful.
Here's the current view:
[img_thumb]http://i.minus.com/iPykoYxmO0HwL.png[/img_thumb]
[img_thumb]http://i.minus.com/ibae23MUpey61s.png[/img_thumb]
Let me know of any further suggestions.
[QUOTE=Bushmaster030;45504132]Thanks for the feedback, it was helpful.
Here's the current view:
-snip-
Let me know of any further suggestions.[/QUOTE]
[img]http://i.imgur.com/SIgvkKB.png[/img]
[QUOTE=Alcapwne;45502582]I'm organising a hackathon with my university entrepreneurship society, need to make a sign up page. what do you think of this? [url]http://speedsums.com/hackathon/[/url]
Also, if you're currently a university student in the UK then you should totally come[/QUOTE]
Wish I was a uni student, currently still in college. That website looks really nice, I would never have guessed it was using Bootstrap.
[QUOTE=Bushmaster030;45505165]Hows this?
*snip!*[/QUOTE]
I think the big green box shouldn't have a check mark, but words in it. That would help to clear up the purpose of that button. It also needs a bit of margin to keep it further away from the reCAPTCHA box. It's much closer than the country selector.
The reCAPTCHA box should be centered.
The two blue buttons on the button should also be links, or at least blend in more with the background. Their color makes them stand out a lot, even though they have no relevance to the form itself.
[QUOTE=Bushmaster030;45505165]Hows this?
[img_thumb]http://i.minus.com/igm8iMAifNyYm.png[/img_thumb][/QUOTE]
You should create your own captcha look, and not just use the default ones.
TrinityX did this on sourcechatjs.com (our project)
[t]http://ss.rubensrv.nl/i/1264qf.png[/t]
[QUOTE=Potatofactory;45477648]I only said that because alot of servers don't exactly have XSS Protection. I tested this theory by going on multiple servers with HTML code in my name. 75% (6/8) of the servers didn't have XSS protection[/QUOTE]
I know it's good to have good security practises even where it doesn't matter but I'd just like to point out :
How many people can view someone's name on a loading screen? It's 1 unless you have a leaderboard/"players in game"/etc. If only the person doing the attack is affected the xss exploit will not have any practical use to an attacker.
Sorry, you need to Log In to post a reply to this thread.
