Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic security applied to forms #5

Closed
g105b opened this issue Dec 3, 2017 · 2 comments
Closed

Automatic security applied to forms #5

g105b opened this issue Dec 3, 2017 · 2 comments
Assignees
@g105b
Labels
feature
Projects
Overview
Milestone
v2

Comments

@g105b
Copy link
Member

g105b commented Dec 3, 2017
edited

Imagine a user enters their credit card information into a form and presses submit. Unsetting the globals doesn't directly enhance security, as php://input is still available, and credit card information should not be able to be read at all by third party code.

Using openssl (or similar) to secure user input is the answer. Either on all forms, or opted in forms, security should be applied automatically.

It should work like this:

  • The public key of the application is injected as a hidden field on the form to be secured.
  • A plain text password is also injected into the form.
  • JavaScript should encrypt the data on submit, using the public key.
  • PHP.Gt/Input should throw an exception and halt execution if the plaintext password is visible in plain text on php://input - this means the JavaScript has not been run.
@g105b g105b added the feature label Dec 3, 2017
@g105b g105b added this to the v2 milestone Dec 3, 2017
@g105b g105b self-assigned this Sep 16, 2018
@g105b
Copy link
Member Author

g105b commented Dec 5, 2018
edited

Working code: https://github.com/g105b/aesjs-test

@g105b g105b added this to Backlog in Overview Oct 8, 2021
@GuyLagasse GuyLagasse mentioned this issue Mar 8, 2022
Closed
@g105b
Copy link
Member Author

g105b commented Mar 18, 2022

This issue was created before Stripe had published its cross-origin payment input system, and is now out of scope. If this functionality is required in the future it should be managed in its own repository.

@g105b g105b closed this as completed Mar 18, 2022
Overview automation moved this from Backlog to Done March 2022 Mar 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@g105b g105b

Labels
feature
Projects
Overview
Done March 2022
Milestone
v2
Development

No branches or pull requests
1 participant
@g105b