safety regulations


1. [Mandatory] Pages or functions belonging to the user must undergo permission control verification.

Description: Prevent people from being able to access and operate other people's data at will without performing horizontal permission verification, such as viewing and modifying other people's orders.

2. [Mandatory] Direct display of sensitive user data is prohibited, and the display data must be desensitized.

Instructions: When viewing your personal mobile phone number, it will be displayed as: 158****9119, hiding the middle 4 digits to prevent privacy leakage.

3. [Mandatory] The SQL parameters entered by the user must be strictly limited by parameter binding or METADATA field values ​​to prevent SQL injection. Prohibit string splicing SQL from accessing the database.

4. [Mandatory] Any parameters passed in by the user must be verified for validity.

Note: Ignoring parameter verification may lead to:

  • excessive page size leading to memory overflow

  • Malicious order by causes slow database query

  • Arbitrary redirection

  • SQL injection

  • Deserialization Injection

  • Regular Input Source String Denial of Service ReDoS

Description: Java code uses regular expressions to verify customers For end-user input, some regular writing methods have no problem verifying ordinary user input. However, if the attacker uses a specially constructed string for verification, it may lead to an infinite loop.

5. [Mandatory] It is prohibited to output user data that has not been safely filtered or has not been properly escaped to the HTML page.

6. [Mandatory] CSRF security filtering must be performed on form and AJAX submissions.

Description: CSRF (Cross - site request forgery) Cross-site request forgery is a common programming vulnerability. For applications/websites with CSRF vulnerabilities, the attacker can construct the URL in advance. As soon as the victim user accesses it, the background will modify the user parameters in the database accordingly without the user's knowledge.

7. [Mandatory] When using platform resources, such as text messages, emails, phone calls, orders, and payments, correct anti-replay restrictions must be implemented, such as quantity limits and fatigue control. , Verification code verification to avoid abuse and loss of funds.

Note: If a verification code is sent to the mobile phone when registering, if there is no limit on the number and frequency, you can use this function to harass other

other users. And cause a waste of SMS platform resources.

8. [Recommendation] Scenarios where user-generated content such as posting, commenting, and sending instant messages must implement risk control strategies such as anti-brushing and filtering of banned words in text content.