Christoph Posted March 30, 2018 Share Posted March 30, 2018 Hi, I've been wondering how to deal with user input while using babylon js and where to pay attention. My idea was to use websockets + babylonjs to render some text so the users have the ability to talk to each other. However while I guess that the webgl part is rather safe (because no user input enters the DOM) I wonder how safe the html5 canvas and it's "fillText()" and "strokeText()" are. Quote Link to comment Share on other sites More sharing options...
Pryme8 Posted March 30, 2018 Share Posted March 30, 2018 huh? this is kinda not fully explained. The way you would lock down local methods like that is have them fired on multiple clients only of it comes from the server with the correct salt and hash key or a two step oAuth. Otherwise the user is free to manipulate the text they see on their local client all they want, it as a security gap is not a factor. https://en.wikipedia.org/wiki/Cryptographic_nonce Us this method or a likeness to control methods coming from the servers and verify their integrity. Once validated handle everything on the client side and sync to the server. But for the most part if a user wants to mess with their local stuff they are going to, you can have certain variables flagged and tracked. Then have the client poll the sever intermittently to verify they have not been manipulated, but that is a lot of extra steps to prevent someone from digging around. Quote Link to comment Share on other sites More sharing options...
Christoph Posted March 30, 2018 Author Share Posted March 30, 2018 Mea culpa. My head hurts and I guess I messed up the question. Lemme try again I want to use a websocket-server so users have the ability to exchange messages, a simple chat, that's the untrusted user input part. Because those messages are sent by users and could contain malicious input that's broadcasted to other users, filtering on the server side is must because of this, else it will lead to XSS. But I was not able to find anything related to xss, webgl / html5 canvas because they are used in babylonjs for text rendering and that's the place the user input is used at and where XSS could happen. Quote Link to comment Share on other sites More sharing options...
Pryme8 Posted March 30, 2018 Share Posted March 30, 2018 just sterilize any input before you run it on the server. Arte 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.