Jump to content

(untrusted) user input & html5 canvas / babylonjs


Recommended Posts


I've been wondering how to deal with user input while using babylon js and where to pay attention. My idea was to use websockets + babylonjs to render some text so the users have the ability to talk to each other. However while I guess that the webgl part is rather safe (because no user input enters the DOM) I wonder how safe the html5 canvas and it's "fillText()" and "strokeText()" are.

Link to comment
Share on other sites


this is kinda not fully explained.  The way you would lock down local methods like that is have them fired on multiple clients only of it comes from the server with the correct salt and hash key or a two step oAuth.  Otherwise the user is free to manipulate the text they see on their local client all they want, it as a security gap is not a factor.


Us this method or a likeness to control methods coming from the servers and verify their integrity.  Once validated handle everything on the client side and sync to the server.

But for the most part if a user wants to mess with their local stuff they are going to, you can have certain variables flagged and tracked.  Then have the client poll the sever intermittently to verify they have not been manipulated, but that is a lot of extra steps to prevent someone from digging around.

Link to comment
Share on other sites

Mea culpa. My head hurts and I guess I messed up the question. Lemme try again :)

I want to use a websocket-server so users have the ability to exchange messages, a simple chat,  that's the untrusted user input part. Because those messages are sent by users and could contain malicious input that's broadcasted to other users, filtering on the server side is must because of this, else it will lead to XSS.

But I was not able to find anything related to xss,  webgl / html5 canvas because they are used in babylonjs for text rendering and that's the place the user input is used at and where XSS could happen.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...