Yo what happened? I ate dinner and missed all the fun lol @NoNameByProgram

@CatR3kd people are putting html tags and now the leaderboard is dying

ooh wow.
edit: just saw the repl crash in the console lol
@NoNameByProgram

@CatR3kd i have no idea what to do

we could just disable the button until it is fixed? @NoNameByProgram

@CatR3kd it just got fixed phew

awesome, kudos to you @NoNameByProgram

Hey so some dude named asdf has 123412341234213e+22$.... How do I ban him? @NoNameByProgram

@CatR3kd lmfao
remove his name in the json files

ok lol @NoNameByProgram

@NoNameByProgram oh boy you had no XSS protection? If scripts were injected cookies could've been stolen and the attacker could login to an account via the cookie

@realTronsi ...what? that won't work. we use passwords

@NoNameByProgram ik but you have cookies, so leading a XSS attack could easily have stolen everyone's cookies and hence their accounts. Other more malicious things may happen as well, such as virus injections and/or ip loggers for DDoS attacks etc

@realTronsi oh god, i'm glad we added that username thing. but what if they put it in the password? will it still work?

@NoNameByProgram uh I haven't looked at your code, I'm assuming for the lb you're using innerHTML? If thats the case then that's the culprit. Passwords wont matter unless you're displaying someone's password

@realTronsi what's an lb? Anyway,
passwords are never displayed, so does it still apply?

@NoNameByProgram lb means leaderboard, and yes no need to worry about passwords

@realTronsi Ah! So everything is fixed now, phew!

Phew! That would've been bad. I was able to get onto repl real quick, and found a major bug. If you have the game open while it resets, you keep your progress. This is not good lol. Maybe you could ifx it by kicking the user off at 8:00? Like refresh the page? IDK, but I'm glad I noticed lol. I may or may not be able to respond to further comments lol
@NoNameByProgram

@CatR3kd i think it refreshes it....when was this exactly?

just at this reset. @NoNameByProgram

@CatR3kd yea, i just changed the code after the reset and now it's working...

it should work now

Cool. Thanks! oh btdubs I'll ping you on discord when iv'e finished the info page, it'll probably be tommorow. @NoNameByProgram

@CatR3kd k! cya!

cya! @NoNameByProgram

@NoNameByProgram pretty sure people are hacking again, there are insane numbers that were gotten in an hour or so

OK, I have been banning people but I can check again. @NathanPp

wdym how do they hack @NoNameByProgram

@CuriousMonkey i explained it...

@CatR3kd to stop people trying XSS hacks you could use a function like this to block all HTML tags. It won't allow any input surrounded by tags, like this <this is a tag>.

Here is the function:

function isTag(str) {
  return /<[^>]*>/g.test(str);
}

To add another layer of safety you could run this function before submitting the input:

function convertTags(str) {
  return unescape(str).replace(/</g, "&lt;").replace(/>/g, "gt;").trim();
}

Here is a repl I made which demonstrates how to use the functions: https://repl.it/@RolandJLevy/js-input-with-tags-blocked

@RolandJLevy Thanks! This will really help in the future!

@NoNameByProgram, that's great! Good luck with your project :)

Hey @NoNameByProgram , me and lightning rock were thinking of doing some big boy updates. We probably should turn off the project. So if you want to add the chat(s) feature, this could be a good time!

@CatR3kd i guess we could start the chat sometime today :D

Cool, yeah! I'm not gonna have very much free time today but if you want to do it without me, that's not a problem @NoNameByProgram

@CatR3kd any idea why the users are being banned?

Yeah, the json file keeps deleting itself. |: @NoNameByProgram

Oh yeah, boi. No getting past us. @NoNameByProgram

@CatR3kd you can use an automod that auto bans

yeah, we are actually working on that right now! @realTronsi

lol ty @GeumjuKim

Uh this is all nonamebyprogram's code maybe you should tag him lol I don't do the nodejs @firefish

@CatR3kd Alright here is some CONSTRUCTIVE criticism about your code @NoNameByProgram (also you could've pinged him here but)
Also these principals apply to all JS

@firefish can i just die in peace :D

@firefish i would appreciate that

lol @NoNameByProgram

@NoNameByProgram It's just unidiomatic code is painful to look at

Hey @NoNameByProgram @lightningrock wants to know if he can help with the game, and im fine with that, just wanted to check with you

brutal jeez
jk lol
@firefish

@firefish i'd agree

@CatR3kd Fine with that! Also, should we put this game on a Git repo?

gottem
jk lol
@NoNameByProgram

@NoNameByProgram Well yes, Git is like the best, repl.it's vcs is just a pig's breakfast

Yeah, I'm thinking if this game gets epic we move it to a digitalocean droplet, so yeah
@NoNameByProgram

wdym vcs @firefish

@CatR3kd Well (according to google because I have no idea what that is) a digitalocean droplet is just a fancy VM, like repl.it is really an unfancy speeeedy VM called a container

hmm imma pretend i understand
ah that makes sense
@firefish

@firefish lmao

@CatR3kd version control system, like this thingy

hmm intersting lol @firefish

@CatR3kd aight a VM is a virtual machine, bear in mind repl.it is really an unfancy speeeedy VM

@CatR3kd Also WHAT why aren't you using mardown

Factions Online POSSIBLE UPDATES:

- [ ] Upgrade tiers
- [ ] Purchaseable military units
- [ ] Factions (Teams) and raiding mechanics
- [x] Disable ctrl+shift+i
- [x] Fix E-math auto banning
- [ ] Add infinity auto banning
- [ ] Leveling system
- [ ] Friend system
- [ ] Team chat
- [ ] Community/Public chat
- [ ] Friend chat /Approved by NoNameByProgram/
- [ ] Mod chat /Approved by NoNameByProgram/
- [ ] Dev chat /Approved by NoNameByProgram/
- [ ] Make website look nicer
- [ ] Logo/Favicon/Background
- [ ] Ad service (Minor amount)
- [ ] New name?
- [ ] Better banning system instead of account deletion (Maybe IP ban)
- [ ] Ban warnings
- [ ] Ban page
- [ ] Mod page
- [ ] Dev page
- [ ] Mod application?
- [ ] Dev application?

Once all that's done we can move to a digitalocean droplet with a .io domain

Feel free to add to the list

eh no big deal @firefish

@CatR3kd but markdown superior

well thanks! @JosephMonticell

Ooh yeah! @canyon2020

@CatR3kd Do you think you can achieve it? Also, im pretty good with programming. Finally, you should add a community chat area! (Just thought of this!)

yeah, I probably could. I'll ask for help though if I need it! And a chat area: Yeah we probably could! That would be more backend though so it would be more up to noname @canyon2020

@canyon2020 :ooooooo

Oh hey, @NoNameByProgram , so I just wanted to tell you that the E-math autoban does not work lol also, could you add an autoban for if the user's money is equal to infinity? lol I woke up to some dude named god who had infinity$

Oh and I DM'ed you on discord with a bunch of ideas that we could add, not like we need them all rn but just ideas (: @NoNameByProgram

@CatR3kd i'll check it later

OK cool @NoNameByProgram

@CatR3kd lmao ik
i think it works now, not too sure, but we'll leave it alone for an hour or so i guess

epic lol @NoNameByProgram

ooh, thanks for telling me. I'll ban him rn @TalinSharma

@CatR3kd

lmfao should i rerelease?
@NoNameByProgram

Actually we could go back and add more stuff if you wanted to
@NoNameByProgram

@CatR3kd depends lol ur choice

yeah, i took it down do to it being so popular it lagged all of repl lol @CuriousMonkey

A favicon! @canyon2020

ez what do you want it to look like
@CatR3kd

"FO" @canyon2020

JS magic @EmpireReedSQB

@CatR3kd tell me your wasy

???? lol @EmpireReedSQB

@CatR3kd tell me how you blocked people from just holding enter instead of tapping

BIG BRAIN @EmpireReedSQB

Ask noname @EmpireReedSQB

No i turned it off because it was ending replit lol @AidanTurc

Nope theres a CPS cap that autobans cheaters @zabuzatheashura

nice! @DJWang

Thanks! @Blackout4344

Yeah there's logins with cookies and a json file @CodersXD

@CodersXD we don't use any module for those two :O

Yeah, we know lol @noway15

Yeah lol @Baconman321

@CatR3kd Still, you can set an interval to click slower, then leave the game to click for u

Yes, we're gonna implement AFK detection @Baconman321

@CatR3kd just use window.onfocus and window.onblur (client side)

@Baconman321 thanks!

@NoNameByProgram As long as you have client side scripts, there will always be a way around it. Just remember this: always treat info sent to backend by the client as unsafe and NEVER EVER handle sensitive information with javascript.

@NoNameByProgram Also, I see you are storing passwords in a json file. This is a big nono. Repl has recently made databases, I suggest you use those to store passwords and usernames, not a file.

Yes, but we are going to move from repl eventually. Why is this a nono? @Baconman321

@CatR3kd Because people can see your repl, your files, and everything except for the .env files, which are a pain to use to store things. Of course, you could always encrypt the passwords (store the key in an .env file, then get that using process.env.nameOfValue), but I recommend encrypting the passwords then storing them in a database. Of course, in practice (since if a hacker gets a hold of the file, then they can see what key you use since it's in the encrypt function), encrypting passwords is a bad idea, but no one can access your key in the env file (easily). In reality, however, when you move away from repl.it, hash passwords instead. Read about hashing here.

Hmmm, but lol the passwords are encrypted @Baconman321

@CatR3kd With what? What algorithm? Also, when you use the key, do you store it in an env file so that no one sees your key (otherwise they can easily decrypt it)

I have no idea ask noname lol @Baconman321

@NoNameByProgram what do you use for encryption. Also, do you store the key in an env?

@Baconman321 repl.it has a bad database.

@Baconman321 wdym "key"?
we use sha256 enc.

sadly kinda true lol
Did ya know cookiemann made it?
@NoNameByProgram

big brain
@NoNameByProgram

@NoNameByProgram Ok, so that is a hash function. That is different than encryption. @CatR3kd told me it was encryption, but I see that it is a hash algorithm. Yeah, otherwise storing plain passwords in a json file is bad. Ok, NVM, just wanted to see how you secure your passwords :>
Edit: Sorry I took so long to respond, I'm not available over the weekends.

@Baconman321 why is hash so bad revealing to the public?
hmm???

@NoNameByProgram It isn't. I was saying it was bad to reveal the passwords unencrypted/hashed. It's fine.

So that no single person dominates the leaderboard @hihigood

You're gonna have to open in a new tab @patrickxyz

@HyawMatias try opening in a new tab - cookies do not work in an iframe

@NoNameByProgram it worked thanks

@EpicRaisin hmmm... it's supposed to be up forever, we'll look into it.

@OskarBrady holy shut

@NoNameByProgram I wasted so much of my day doing this

@OskarBrady is that good? :thonk:

Well yes, but actually no @NoNameByProgram

lol
@OskarBrady

Lol, this repl is super laggy because of all the users @TalinSharma

Huh, I guess that makes sense, maybe in the next version I guess you could add some code that maybe allows more users @CatR3kd