Mafia Wars bugs

Submitted by tomo on September 29, 2010 - 3:40am

After playing Mafia Wars for awhile, I've noticed some bugs recently. They are in the way certain strings are formatted.

'You were snuffed in the fight, losing 6 experience points%FMT_SPAND_END%'

'%OPPONENT% asked their Mafia to attack you. Fight them back now'

I wonder what language or template system they are using that does replacement using '%FOO%'? The second example would be a user's Mafia Wars name which is something users can input. What if Zynga didn't properly sanitize names, allowing Javascript code in the name, so anyone who clicked the name would have their Facebook account compromised? Or even a mouse-over attack like Twitter saw last week. Zynga only lets you set the player's name when you start, and later on you have to pay money to change, so this is just wishful thinking for now. :)

Read the rest of this article...
© 2010-2014 Saigonist.