< // ── Supabase signUp ───────────────────────────────────────── async function signUpUser() { if (!DB_CONFIGURED || !db) { doDemo(); return; } var inp = getAuthInputs(); if (!inp.email || !inp.pass) { toast('Please enter email and password'); return; } var btn = document.getElementById('auth-confirm-btn'); if(btn){btn.textContent='Creating account...';btn.disabled=true;} try { var res = await db.auth.signUp({ email: inp.email, password: inp.pass, options: { data: { role: _selRole } } }); if (res.error) throw res.error; toast('Account created! Check your email to confirm then sign in.'); S.log('SIGNUP', inp.email, 'info'); closeMod('auth-modal'); } catch(err) { toast('Sign up failed: ' + S.esc(err.message)); } finally { if(btn){btn.textContent='Sign In / Demo →';btn.disabled=false;} } } // ── Supabase signIn ───────────────────────────────────────── async function signInWithEmail() { if (!DB_CONFIGURED || !db) { doDemo(); return; } var inp = getAuthInputs(); if (!inp.email || !inp.pass) { doDemo(); return; } var btn = document.getElementById('auth-confirm-btn'); if(btn){btn.textContent='Signing in...';btn.disabled=true;} try { // delegate to signInWithEmail for cleaner flow await signInWithEmail(); return; if (res.error) throw res.error; currentUser = res.data.user; var role = (res.data.user.user_metadata && res.data.user.user_metadata.role) || 'seller'; S.RBAC.setFromToken(S.JWT.generate(role)); closeMod('auth-modal'); updateRoleBadge(); toast('Welcome back, ' + S.esc(res.data.user.email.split('@')[0]) + '!'); S.log('SUPABASE_AUTH', res.data.user.email, 'info'); } catch(err) { toast('Sign in failed: ' + S.esc(err.message)); S.log('AUTH_FAILED', err.message, 'error'); } finally { if(btn){btn.textContent='Sign In / Demo →';btn.disabled=false;} } } // ── Sign out ──────────────────────────────────────────────── async function signOut() { if (db) await db.auth.signOut(); currentUser = null; S.RBAC.currentRole='visitor'; S.RBAC.token=null; updateRoleBadge(); toast('Signed out'); S.log('SIGNOUT','','info'); } !DOCTYPE html> CarEireann - Ireland's Car Marketplace
Checks performed: XSS • SQL Injection • Hardcoded Secrets • Clickjacking • CSP • Open Redirect • RBAC • JWT • Rate Limiting • Audit Trail • Input Validation • Dependency Allowlist
CRITICAL → FIXED
XSS via innerHTML (16 occurrences)
FIX: S.esc() HTML-entity encoder applied to every dynamic value before DOM insertion.
CRITICAL → FIXED
Reflected XSS in keyword chip
FIX: gf() runs S.esc() on f.kw. buildChips() inserts only pre-sanitised strings.
HIGH → FIXED
XSS in autocomplete (suggest box)
FIX: Rebuilt with createElement+textContent. No innerHTML on user-derived data.
HIGH → FIXED
No Content-Security-Policy
FIX: CSP meta tag restricts scripts, styles, fonts, frames and connections to approved origins.
HIGH → FIXED
Clickjacking (no X-Frame-Options)
FIX: X-Frame-Options: DENY added. frame-ancestors: none also set in CSP.
HIGH → FIXED
No RBAC — anyone accesses dealer features
FIX: S.RBAC module with 4 roles (visitor/seller/dealer/admin). requireRole() guards privileged actions.
HIGH → FIXED
No JWT validation
FIX: S.JWT.parse() validates structure, expiry, required claims. Tokens issued and parsed per session.
MEDIUM → FIXED
No input allowlist validation
FIX: S.ALLOWLISTS defined for fuel/body/trans/seller/rating/doors. S.allowlist() validates all selects.
MEDIUM → FIXED
No rate limiting on form submissions
FIX: S.rateLimit() applied to listing submit (3/10min) and enquiry (3/60s) actions.
MEDIUM → FIXED
Unvalidated external redirects (Tabnapping)
FIX: S.safeNav() validates all URLs against S.ALLOWLISTS.domains. Forces noopener,noreferrer.
MEDIUM → FIXED
No audit logging
FIX: S.log() records all security events with timestamp, action, role, severity. Admin-only log viewer.
INFO → FIXED
External dependency allowlist missing
FIX: S.ALLOWLISTS.domains enforced on every window.open. Only 7 approved domains permitted.
N/A
SQL Injection
Not applicable — static HTML file, no backend DB. Zero SQL attack surface.
PASS — NONE FOUND
Hardcoded Secrets Scan
CLEAN: No API keys, passwords, JWT secrets or tokens found in source.
Navigate
Browse by Fuel
Services
🔍
Car History
Motorcheck.ie
💳
Finance
BOI Finance
🛡
Insurance
AXA Ireland
Book NCT
nct.ie
🔧

✅ Supabase connected! Your database is live at zmmgpxszwwfmrssvtyfg.supabase.co — real listings will load from your database.

🇮🇪 Ireland's Car Marketplace

Find Your Perfect Car
Across Ireland

Thousands of private and dealer listings. Real prices. Zero middlemen.

4,200+
Active Listings
340+
Verified Dealers
32
Counties
€0
Cost to List
to
to
to
🆕 New This Week
📉 Price Drops
⚡ Electric Only
💰 Under €10,000
📌 Low Mileage
🏢 Dealer Only
👤 Private Only
🟢 Great Price Deals
🏆 AutoHouse Dublin
Cork Motor Group
Galway Car Centre
Limerick Motors
All Listings
Recently Viewed
❤ Saved Cars
🔍
Car History Check
NCT records, finance check, stolen status and mileage verification via Motorcheck.ie
Motorcheck.ie →
💳
Car Finance
Get approved in minutes with competitive rates from Bank of Ireland Finance.
Get a quote →
🛡
Car Insurance
Fast competitive quote from AXA Ireland. Drive away covered from day one.
Get insured →
Book Your NCT
Book or check NCT status online. Direct link to the official NCT booking portal.
Book NCT →
📋
Transfer Ownership
Transfer motor tax and ownership online via RSA. No queues at the motor tax office.
RSA.ie →

Grow Your Dealership with CarEireann

Reach tens of thousands of in-market buyers across every county in Ireland. Quality leads every day.

Starter
49/mo
Up to 10 listings
  • 10 active listings
  • Dealer profile page
  • Email leads
  • Basic analytics
Most Popular
Professional
129/mo
Up to 50 listings
  • 50 active listings
  • Featured dealer badge
  • Priority placement
  • Full analytics
  • Phone & email leads
Enterprise
299/mo
Unlimited listings
  • Unlimited listings
  • Homepage feature
  • Dedicated manager
  • API stock integration
  • WhatsApp lead routing

Sell Your Car.
Simple & Free.

Private sellers list one car completely free. No hidden fees, no commission taken. Live within 24 hours.

🚗
Private listing — free forever
Boost listing — €9.99 one-off
📞
Direct enquiries to your phone
🔒
Your number stays private

List Your Car

Please enter your full name (letters only)
Please enter a valid email address
Please enter a valid Irish phone number
Please describe your car (at least 5 characters)
Please enter a price between €100 and €500,000

Sign In

Demo: select a role to simulate JWT authentication

or choose a demo role below (no database required):

Select your account type:

👤
Visitor
Browse listings
🚗
Private Seller
List 1 car free
🏢
Dealer
Manage stock
🛡
Admin
Full access + audit log
🔒 Demo only — In production, JWT must be signed server-side with a secret key. Never generate tokens client-side.
📊 Security Audit Log (Admin only — RBAC protected)
TimeActionDetailRoleSev
⚖ Compare