2013-06-25 - HTML5 & JavaScript Security
0 likes1,227 views
The document focuses on HTML5 security, discussing various attack vectors and strategies to mitigate them. It highlights specific examples of JavaScript execution vulnerabilities, Cross-Site Scripting (XSS) techniques, and the importance of data sanitization to prevent unauthorized access. The document serves as a presentation outline by Johannes Hoppe, aiming to educate on securing web applications.
1 of 43
Downloaded 14 times
![SVG
kann JavaScript enthalten!
Test
<?xmlversion="1.0"?>
<svgxmlns="http://www.w3.org/2000/svg"width="200"height="50">
<defs><style> </style></defs>
<circlecx="20"cy="20"r="15"fill="yellow"stroke="black"/>
<circlecx="15"cy="15"r="2"fill="black"stroke="black"/>
<circlecx="25"cy="15"r="2"fill="black"stroke="black"/>
<pathd="M1326A530002726"stroke="black"fill="none"stroke-width="2"transform="rotate(180,2
0,28)"/>
<textx="11"y="50"id="display">Test</text>
<script>
</script>
</svg>
<![CDATA[text{font-size:6pt;}]]>
alert(document.cookie);
document.getElementById('display').textContent=document.cookie;](https://image.slidesharecdn.com/2013-06-25-html5javascriptsecurity-130622180340-phpapp01/85/2013-06-25-HTML5-JavaScript-Security-8-320.jpg)
![WebSQL
SQL Injection:
Prepared Statement:
executeSql("SELECT foo FROM bar WHERE value=" + value);
executeSql("SELECT foo FROM bar WHERE value=?", [value]);](https://image.slidesharecdn.com/2013-06-25-html5javascriptsecurity-130622180340-phpapp01/85/2013-06-25-HTML5-JavaScript-Security-31-320.jpg)
![Mashups!
define(['jquery', 'knockout',
'knockout.mapping', 'domReady!'], function ($, ko, mapping) {
var url ='http://search.twitter.com/search.json?q=%23xss&callback=?';
$.getJSON(url).done(function (data) {
var viewModel = mapping.fromJS(data);
ko.applyBindings(viewModel, $('#tweets').get(0));
});
});](https://image.slidesharecdn.com/2013-06-25-html5javascriptsecurity-130622180340-phpapp01/85/2013-06-25-HTML5-JavaScript-Security-33-320.jpg)
Ad
Recommended
QA for PHP projects
QA for PHP projectsMichelangelo van Dam This document discusses quality assurance (QA) for PHP projects. It introduces various QA tools and techniques including syntax checking, documentation, testing, version control and code coverage. Screenshots are provided to illustrate concepts like detecting bugs early, observing behavior and preventing mistakes. The document also includes exercises for attendees to practice setting up version control with Git, running syntax checks with PHP Lint, generating documentation with phpDocumentor, and testing models with PHPUnit.
2013 05-03 - HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript SecurityJohannes Hoppe The document discusses web application security, focusing on various attack vectors such as XSS (Cross-Site Scripting) and methods to prevent them. It emphasizes the need for escaping dynamic data and the risks associated with using client-side storage for sensitive information. Additionally, it highlights the importance of security measures like prepared statements for SQL queries and the implications of CORS in communication.
Automated testing for client-side - Adam Klein, 500 Tech
Automated testing for client-side - Adam Klein, 500 TechCodemotion Tel Aviv This document discusses client-side testing using Jasmine and Karma. It introduces Jasmine as the most popular testing framework for writing unit tests in the browser. It demonstrates a simple example of using Jasmine to test a Person constructor function. It then discusses Karma, a test runner that makes browser testing seamless. Karma allows running tests across multiple browsers simultaneously. The document also covers techniques for testing AngularJS controllers and services, including mocking external server calls. It emphasizes that while tests may pass using mocks, the mocks represent the contract with the external system and code could still fail if that contract changes.
CSS in React - Will Change Transform
CSS in React - Will Change TransformJoe Seifi The document discusses various techniques for managing CSS in React applications in a maintainable way. It describes how CSS modules, Styled Components, and other libraries can help avoid issues like unused CSS selectors and classes by scoping styles and preventing dead code. It also discusses how style components and snapshots can help test CSS rules.
What's new in Rails 2?
What's new in Rails 2?brynary The document outlines the new features introduced in Rails 2, including updates to ActiveRecord validation, a new cookie session store, and enhancements to asset caching. It also discusses improvements to routing, form helpers, and debugging tools, as well as the removal of certain database adapters and the shift to the 'form_tag' block syntax. Additionally, it highlights the importance of upgrading from earlier versions and suggests resources for further guidance.
1cst
1cstGriffinder VinHai The document contains code for a simple calculator application with functions to add, subtract, multiply and divide two numbers entered in text fields. It uses JavaScript to get the values from the text fields, perform the mathematical operation and output the result in a third text field. The calculator has buttons to perform each operation and a clear button to reset the fields.
Phoenix for laravel developers
Phoenix for laravel developersLuiz Messias The document discusses a talk on functional programming and its application in building web applications using Phoenix for Laravel developers. It explores concepts like immutability, concurrency, and provides examples of coding practices in both Phoenix and Laravel environments. Additionally, it compares the two frameworks, highlighting similarities and differences in their architecture and broadcasting capabilities.
The Code
The CodeGary Barber This document contains code samples in multiple programming languages, including Cobol, Lolcode, Coldfusion, Ruby, and pseudocode. It shows name processing and validation routines in Cobol, a conversation with pets in Lolcode, formatting currency values for different locales in Coldfusion, making an API request in Ruby, and various functions, loops, flags, and conditions in pseudocode.
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Ted Kulp The document provides an overview of Smarty, a widely used PHP templating system. It discusses that Smarty was created by Andrei Zmievski and separates display logic from controller logic for improved security and ease of use. Key features covered include literal tags, modifiers, and capture/cycle functions that allow for powerful templating capabilities. Examples demonstrate how to output variables, format dates, and alternate content display. Resources listed provide more documentation on Smarty syntax and usage.
Cloud Entwicklung mit Apex
Cloud Entwicklung mit ApexAptly GmbH The document discusses using Apex and Visualforce to build a case management application on the Salesforce platform. It covers using Apex controllers and extensions to build interfaces for adding, viewing, and selecting conversations related to a case. Visualforce pages are used to display conversation input forms, lists, and details. The application allows conversations to be quickly edited on the case page by building custom Apex controllers and Visualforce components to integrate conversations directly into the case view.
МИХАЙЛО БОДНАРЧУК «SuperCharged End to End Testing with CodeceptJS» QADay 2019
МИХАЙЛО БОДНАРЧУК «SuperCharged End to End Testing with CodeceptJS» QADay 2019QADay The document presents an overview of CodeceptJS, an end-to-end testing framework designed for simplicity and clarity in writing tests. It emphasizes a user-centric approach where testing scenarios closely follow real user interactions while addressing common challenges in testing such as flaky actions and complex locators. The framework supports various backends and enables integration with tools like Selenium and Puppeteer, making it versatile for developers.
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQMichelangelo van Dam The document provides a comprehensive guide on using Selenium with PHPUnit for user acceptance testing, detailing the setup process, test case examples, and benefits of multi-browser support. It emphasizes that Selenium tests complement, rather than replace, standard unit tests by focusing on user experience and functional requirements. The content includes code snippets and practical steps for automating tests, including setting up a Selenium Grid for continuous integration.
Lettering js
Lettering jsdavatron5000 This document describes a jQuery plugin called Lettering.js, designed to enhance web typography by allowing precise control over individual characters, words, and lines within HTML text. It provides a brief overview of how to implement the plugin using JavaScript and CSS to achieve customized text displays. Additionally, the document includes code snippets and examples for various text manipulation functionalities, emphasizing the plugin's lightweight nature and practicality.
Html
Htmlg Nama This document contains hacked HTML code that was inserted by "Vaga kontol & Dr_h0uCk BiG BOSS fuck lol". The code includes JavaScript that animates text revealing the message "This site was hacked by vaga-HACkeR Dz. sok jago bangsat" and other messages claiming responsibility for the hack. It also includes code to block right clicking on the page and redirect any clicks.
jQuery Plugin Creation
jQuery Plugin Creationbenalman The document provides tips and best practices for creating jQuery plugins, including organizing code structure, generalizing functionality, minimizing file size through minification, and optimizing performance. It discusses using closures and object literals for plugins, exposing only necessary methods, avoiding duplicate code, and helping the compressor by using arrays and strings. The goal is to build clean, simple APIs while generalized and minimized code.
Maintainable JavaScript 2012
Maintainable JavaScript 2012Nicholas Zakas This document summarizes Nicholas C. Zakas's presentation on maintainable JavaScript. The presentation discusses why maintainability is important, as most time is spent maintaining code. It defines maintainable code as code that works for five years without major changes and is intuitive, understandable, adaptable, extendable, debuggable and testable. The presentation covers code style guidelines, programming practices, code organization techniques and automation tools to help write maintainable JavaScript.
Intro to OAuth
Intro to OAuthmfrost503 The document discusses OAuth 1.0 and 2.0 authentication protocols. It explains the key concepts of OAuth 1.0 including the use of consumer tokens, temporary credentials, access tokens, and signing requests with HMAC-SHA1 signatures. It also covers OAuth 2.0 which removes signatures in favor of SSL/TLS and uses grants like authorization code and implicit to issue access tokens. The document provides code examples for implementing OAuth 1.0 token requests and authorization headers.
Basics of Java Script (JS)
Basics of Java Script (JS)Ajay Khatri This document serves as a comprehensive introduction to JavaScript, covering various aspects such as DHTML, syntax, data types, and the Document Object Model (DOM). It discusses practical use cases like form validation, event handling, and dynamic behavior implementation in web pages, alongside examples and code snippets. Additionally, it explains JavaScript's advantages, including interactivity and enhanced user experience in web development.
14922 java script built (1)
14922 java script built (1)dineshrana201992 JavaScript supports built-in objects like String, Date, and Math that extend the language's functionality. String methods allow manipulating and extracting characters from strings. Date objects represent dates and times using methods like new Date(). The Math object provides mathematical constants and functions for tasks like generating random numbers and rounding values.
Java Script
Java ScriptKalidass Balasubramaniam Scripting languages like JavaScript allow scripts to be executed by programs. Scripts contain lists of instructions that are interpreted on the fly rather than compiled. Scripts can run on the client-side in web browsers or on the server-side through programs like PHP. JavaScript is commonly used for client-side scripting due to its ease of use and ability to dynamically update web pages in the browser. The JavaScript DOM provides methods for accessing and modifying HTML elements with JavaScript.
JavaScript Needn't Hurt!
JavaScript Needn't Hurt!Thomas Kjeldahl Nilsson This document is a comprehensive introduction to JavaScript, covering its basic syntax, object-oriented programming, common practices, and tools for development. It discusses both the positives and negatives of JavaScript, as well as best practices for writing clean, maintainable code. The document also encourages practical application and further learning through various resources.
前端概述
前端概述Ethan Zhang The document provides an overview of front-end technologies including HTML, CSS, JavaScript, Ajax and jQuery. It discusses how the front-end interacts with the user's browser and backend servers. It describes the roles of HTML, CSS and JavaScript in content, styles and behaviors. It then covers HTML tags and structures, CSS, JavaScript basics and its use in browsers with BOM and DOM APIs. The document also summarizes Ajax and how it enables asynchronous JavaScript requests, and introduces jQuery and how it simplifies DOM and Ajax operations.
Plugin jQuery, Design Patterns
Plugin jQuery, Design PatternsRobert Casanova The document discusses various JavaScript patterns for designing jQuery plugins, including constructor functions, object creation, and the use of the prototype for methods. It outlines the structure for a simple jQuery plugin using an immediately invoked function expression (IIFE) and provides examples of initializing and using plugins. It also demonstrates the dom-to-object bridge pattern and method creation for plugins.
Desafios do Profissionalismo Ágil
Desafios do Profissionalismo ÁgilVictor Hugo Germano The document discusses challenges in agile professional practices, emphasizing the importance of constant testing and quality in software development. It touches on concepts like test-driven development (TDD), continuous integration, and the significance of clean code. Various tools and methodologies relevant to these practices are mentioned, alongside a call for professional responsibility in coding and testing.
Making and Breaking Web Services with Ruby
Making and Breaking Web Services with Rubyerr This document discusses using Ruby to work with web services and SOAP. It describes how the Ruby SOAP library can be used to create client methods on the fly and convert data types. Wrapping existing SOAP services in Ruby is demonstrated. Testing SOAP calls with mocks is also covered. Working with microformats and parsing HTML is explained using the Hpricot and Mofo gems. Finally, using Hpricot to parse XML documents is briefly mentioned.
Compatibility Detector Tool of Chrome extensions
Compatibility Detector Tool of Chrome extensionsKai Cui The document describes the Compatibility Detector Tool, an extension for Chrome that scans web pages for potential compatibility issues across different browsers. It launches with 14 detectors that check things like CSS box model compliance, new block formatting contexts, and pseudo-elements. The extension uses a detector model with base detector classes to check nodes or perform post-analysis. Developers can write custom detectors by declaring them using the provided detector APIs and registering hooks. The source code is available on Google Code to allow building custom compatibility testing frameworks.
날로 먹는 Django admin 활용
날로 먹는 Django admin 활용KyeongMook "Kay" Cha The document outlines a Django application framework that includes models for user profiles, products, images, and orders. It provides the structure for managing product and order data, including fields for tracking status and prices, and includes admin configurations to manage data displays. Additionally, it integrates user management features, allowing for custom administrative user displays and filters based on order counts and costs.
RIA 08 - AJAX and jQuery
RIA 08 - AJAX and jQueryJohannes Hoppe This document contains slides from a presentation on message exchange patterns, protocols and formats, and jQuery. Regarding message exchange patterns, it discusses common patterns like request-reply, one-way, and duplex messaging. It notes that AJAX uses an asynchronous request-reply pattern. For protocols, it covers SOAP and REST, and notes that REST leverages HTTP verbs and status codes. JSON is presented as a lightweight data serialization format. jQuery is introduced as a popular JavaScript library for DOM manipulation, events, and Ajax. Code examples demonstrate its usage.
Einführung in Angular 2
Einführung in Angular 2Johannes Hoppe The document provides an introduction and quick start guide for Angular 2.0, covering setup, components, and data binding through TypeScript. It includes example code for creating a book rating application, detailing how to implement components, templates, event handling, and forms.
2012-06-25 - MapReduce auf Azure
2012-06-25 - MapReduce auf AzureJohannes Hoppe The document contains a series of data entries and log records, including IP addresses, timestamps, requests, response codes, and user agents. It appears to be related to data processing using Hadoop's MapReduce framework, along with specific details regarding image requests and server responses. Additionally, there are references to scripts for processing and managing input and output files.
More Related Content
What's hot (19)
Geek Moot '09 -- Smarty 101
Geek Moot '09 -- Smarty 101Ted Kulp The document provides an overview of Smarty, a widely used PHP templating system. It discusses that Smarty was created by Andrei Zmievski and separates display logic from controller logic for improved security and ease of use. Key features covered include literal tags, modifiers, and capture/cycle functions that allow for powerful templating capabilities. Examples demonstrate how to output variables, format dates, and alternate content display. Resources listed provide more documentation on Smarty syntax and usage.
Cloud Entwicklung mit Apex
Cloud Entwicklung mit ApexAptly GmbH The document discusses using Apex and Visualforce to build a case management application on the Salesforce platform. It covers using Apex controllers and extensions to build interfaces for adding, viewing, and selecting conversations related to a case. Visualforce pages are used to display conversation input forms, lists, and details. The application allows conversations to be quickly edited on the case page by building custom Apex controllers and Visualforce components to integrate conversations directly into the case view.
МИХАЙЛО БОДНАРЧУК «SuperCharged End to End Testing with CodeceptJS» QADay 2019
МИХАЙЛО БОДНАРЧУК «SuperCharged End to End Testing with CodeceptJS» QADay 2019QADay The document presents an overview of CodeceptJS, an end-to-end testing framework designed for simplicity and clarity in writing tests. It emphasizes a user-centric approach where testing scenarios closely follow real user interactions while addressing common challenges in testing such as flaky actions and complex locators. The framework supports various backends and enables integration with tools like Selenium and Puppeteer, making it versatile for developers.
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQ
UA testing with Selenium and PHPUnit - PHPBenelux Summer BBQMichelangelo van Dam The document provides a comprehensive guide on using Selenium with PHPUnit for user acceptance testing, detailing the setup process, test case examples, and benefits of multi-browser support. It emphasizes that Selenium tests complement, rather than replace, standard unit tests by focusing on user experience and functional requirements. The content includes code snippets and practical steps for automating tests, including setting up a Selenium Grid for continuous integration.
Lettering js
Lettering jsdavatron5000 This document describes a jQuery plugin called Lettering.js, designed to enhance web typography by allowing precise control over individual characters, words, and lines within HTML text. It provides a brief overview of how to implement the plugin using JavaScript and CSS to achieve customized text displays. Additionally, the document includes code snippets and examples for various text manipulation functionalities, emphasizing the plugin's lightweight nature and practicality.
Html
Htmlg Nama This document contains hacked HTML code that was inserted by "Vaga kontol & Dr_h0uCk BiG BOSS fuck lol". The code includes JavaScript that animates text revealing the message "This site was hacked by vaga-HACkeR Dz. sok jago bangsat" and other messages claiming responsibility for the hack. It also includes code to block right clicking on the page and redirect any clicks.
jQuery Plugin Creation
jQuery Plugin Creationbenalman The document provides tips and best practices for creating jQuery plugins, including organizing code structure, generalizing functionality, minimizing file size through minification, and optimizing performance. It discusses using closures and object literals for plugins, exposing only necessary methods, avoiding duplicate code, and helping the compressor by using arrays and strings. The goal is to build clean, simple APIs while generalized and minimized code.
Maintainable JavaScript 2012
Maintainable JavaScript 2012Nicholas Zakas This document summarizes Nicholas C. Zakas's presentation on maintainable JavaScript. The presentation discusses why maintainability is important, as most time is spent maintaining code. It defines maintainable code as code that works for five years without major changes and is intuitive, understandable, adaptable, extendable, debuggable and testable. The presentation covers code style guidelines, programming practices, code organization techniques and automation tools to help write maintainable JavaScript.
Intro to OAuth
Intro to OAuthmfrost503 The document discusses OAuth 1.0 and 2.0 authentication protocols. It explains the key concepts of OAuth 1.0 including the use of consumer tokens, temporary credentials, access tokens, and signing requests with HMAC-SHA1 signatures. It also covers OAuth 2.0 which removes signatures in favor of SSL/TLS and uses grants like authorization code and implicit to issue access tokens. The document provides code examples for implementing OAuth 1.0 token requests and authorization headers.
Basics of Java Script (JS)
Basics of Java Script (JS)Ajay Khatri This document serves as a comprehensive introduction to JavaScript, covering various aspects such as DHTML, syntax, data types, and the Document Object Model (DOM). It discusses practical use cases like form validation, event handling, and dynamic behavior implementation in web pages, alongside examples and code snippets. Additionally, it explains JavaScript's advantages, including interactivity and enhanced user experience in web development.
14922 java script built (1)
14922 java script built (1)dineshrana201992 JavaScript supports built-in objects like String, Date, and Math that extend the language's functionality. String methods allow manipulating and extracting characters from strings. Date objects represent dates and times using methods like new Date(). The Math object provides mathematical constants and functions for tasks like generating random numbers and rounding values.
Java Script
Java ScriptKalidass Balasubramaniam Scripting languages like JavaScript allow scripts to be executed by programs. Scripts contain lists of instructions that are interpreted on the fly rather than compiled. Scripts can run on the client-side in web browsers or on the server-side through programs like PHP. JavaScript is commonly used for client-side scripting due to its ease of use and ability to dynamically update web pages in the browser. The JavaScript DOM provides methods for accessing and modifying HTML elements with JavaScript.
JavaScript Needn't Hurt!
JavaScript Needn't Hurt!Thomas Kjeldahl Nilsson This document is a comprehensive introduction to JavaScript, covering its basic syntax, object-oriented programming, common practices, and tools for development. It discusses both the positives and negatives of JavaScript, as well as best practices for writing clean, maintainable code. The document also encourages practical application and further learning through various resources.
前端概述
前端概述Ethan Zhang The document provides an overview of front-end technologies including HTML, CSS, JavaScript, Ajax and jQuery. It discusses how the front-end interacts with the user's browser and backend servers. It describes the roles of HTML, CSS and JavaScript in content, styles and behaviors. It then covers HTML tags and structures, CSS, JavaScript basics and its use in browsers with BOM and DOM APIs. The document also summarizes Ajax and how it enables asynchronous JavaScript requests, and introduces jQuery and how it simplifies DOM and Ajax operations.
Plugin jQuery, Design Patterns
Plugin jQuery, Design PatternsRobert Casanova The document discusses various JavaScript patterns for designing jQuery plugins, including constructor functions, object creation, and the use of the prototype for methods. It outlines the structure for a simple jQuery plugin using an immediately invoked function expression (IIFE) and provides examples of initializing and using plugins. It also demonstrates the dom-to-object bridge pattern and method creation for plugins.
Desafios do Profissionalismo Ágil
Desafios do Profissionalismo ÁgilVictor Hugo Germano The document discusses challenges in agile professional practices, emphasizing the importance of constant testing and quality in software development. It touches on concepts like test-driven development (TDD), continuous integration, and the significance of clean code. Various tools and methodologies relevant to these practices are mentioned, alongside a call for professional responsibility in coding and testing.
Making and Breaking Web Services with Ruby
Making and Breaking Web Services with Rubyerr This document discusses using Ruby to work with web services and SOAP. It describes how the Ruby SOAP library can be used to create client methods on the fly and convert data types. Wrapping existing SOAP services in Ruby is demonstrated. Testing SOAP calls with mocks is also covered. Working with microformats and parsing HTML is explained using the Hpricot and Mofo gems. Finally, using Hpricot to parse XML documents is briefly mentioned.
Compatibility Detector Tool of Chrome extensions
Compatibility Detector Tool of Chrome extensionsKai Cui The document describes the Compatibility Detector Tool, an extension for Chrome that scans web pages for potential compatibility issues across different browsers. It launches with 14 detectors that check things like CSS box model compliance, new block formatting contexts, and pseudo-elements. The extension uses a detector model with base detector classes to check nodes or perform post-analysis. Developers can write custom detectors by declaring them using the provided detector APIs and registering hooks. The source code is available on Google Code to allow building custom compatibility testing frameworks.
날로 먹는 Django admin 활용
날로 먹는 Django admin 활용KyeongMook "Kay" Cha The document outlines a Django application framework that includes models for user profiles, products, images, and orders. It provides the structure for managing product and order data, including fields for tracking status and prices, and includes admin configurations to manage data displays. Additionally, it integrates user management features, allowing for custom administrative user displays and filters based on order counts and costs.
Viewers also liked (7)
RIA 08 - AJAX and jQuery
RIA 08 - AJAX and jQueryJohannes Hoppe This document contains slides from a presentation on message exchange patterns, protocols and formats, and jQuery. Regarding message exchange patterns, it discusses common patterns like request-reply, one-way, and duplex messaging. It notes that AJAX uses an asynchronous request-reply pattern. For protocols, it covers SOAP and REST, and notes that REST leverages HTTP verbs and status codes. JSON is presented as a lightweight data serialization format. jQuery is introduced as a popular JavaScript library for DOM manipulation, events, and Ajax. Code examples demonstrate its usage.
Einführung in Angular 2
Einführung in Angular 2Johannes Hoppe The document provides an introduction and quick start guide for Angular 2.0, covering setup, components, and data binding through TypeScript. It includes example code for creating a book rating application, detailing how to implement components, templates, event handling, and forms.
2012-06-25 - MapReduce auf Azure
2012-06-25 - MapReduce auf AzureJohannes Hoppe The document contains a series of data entries and log records, including IP addresses, timestamps, requests, response codes, and user agents. It appears to be related to data processing using Hadoop's MapReduce framework, along with specific details regarding image requests and server responses. Additionally, there are references to scripts for processing and managing input and output files.
MDC kompakt 2014: Hybride Apps mit Cordova, AngularJS und Ionic
MDC kompakt 2014: Hybride Apps mit Cordova, AngularJS und IonicJohannes Hoppe Sehen Sie sich das Video an: http://haushoppe-its.de/videos/mdc-kompakt-2014-hybride-apps-mit-cordova-angularjs-und-ionic/
Dieser Vortrag wurde am 18.11.2014 bei der "MDC - Mobile Developer Conference kompakt 2014" aufgenommen.
Dank Apache Cordova ist es möglich, Ihr bestehendes Wissen zu HTML5, JavaScript und CSS3 auf mobile Apps anzuwenden. Nutzen Sie AngularJS von Google, um Techniken wie MVC und Data Binding in den Browser zu bringen. Erfahren Sie in diesem Vortrag, wie Sie mit dem jüngsten Spross, dem Ionic Framework, ansprechende Oberflächen für iOS, Android und Windows Phone gestalten können. Statt PowerPoint erwartet Sie viel Live Coding. Johannes Hoppe wird zusammen mit Ihnen eine erste hybride Anwendung entwickeln.
2015 02-09 - NoSQL Vorlesung Mosbach
2015 02-09 - NoSQL Vorlesung MosbachJohannes Hoppe The document discusses trends in data, networking, and individualization. It then covers topics around scaling databases including scale-up (vertical scaling) and scale-out (horizontal scaling). It notes that NoSQL databases do not use a relational data model or SQL, instead supporting distributed and horizontal scalability with loose or no schema restrictions and different consistency models. Requirements for distributed systems like consistency, availability, and partition tolerance are discussed in relation to Brewer's CAP theorem from 2000.
Ajax.ppt
Ajax.pptMAGNA COLLEGE OF ENGINEERING Ajax allows web pages to be updated asynchronously by exchanging data with a web server behind the scenes. This is done through the XMLHttpRequest object in JavaScript. By using Ajax, web pages feel more responsive because users can interact with the page while data is being loaded in the background without interfering with the display and behavior of the existing page.
Ajax ppt - 32 slides
Ajax ppt - 32 slidesSmithss25 The document provides an overview of AJAX (Asynchronous JavaScript and XML) as a methodology that enhances web application interactivity by using various web technologies. It outlines the historical development of AJAX, emphasizing its importance for better user experience, reduced maintenance costs, and improved resource sharing. However, it also notes some drawbacks such as dependency on JavaScript and challenges with search engine indexing.
Ad
More from Johannes Hoppe (20)
NoSQL - Hands on
NoSQL - Hands onJohannes Hoppe This document provides an overview of MongoDB and examples of CRUD operations. It discusses setting up a MongoDB directory and starting the server and shell. It then demonstrates creating, reading, updating, and deleting documents. Examples show inserting single documents and bulk inserting 1000 documents with random scores. Queries are demonstrated using find() with filters. Updates are shown using update() with $set and $push operators. Hands-on exercises are provided to practice CRUD operations on sample datasets.
2013-06-24 - Software Craftsmanship with JavaScript
2013-06-24 - Software Craftsmanship with JavaScriptJohannes Hoppe This document discusses principles of software craftsmanship including:
- Common JavaScript pitfalls like implied globals, trailing commas, and return undefined
- Best practices like avoiding globals, using module patterns for organization, and test-driven development
- Tools for JavaScript development like Jasmine for testing, RequireJS for module loading, and Visual Studio for debugging
- The process of test-driven development including writing tests, making them fail, making them pass, refactoring code, and repeating
2013-06-15 - Software Craftsmanship mit JavaScript
2013-06-15 - Software Craftsmanship mit JavaScriptJohannes Hoppe The document discusses principles and tools of software craftsmanship, focusing on JavaScript practices like avoiding global variables, using the revealing module pattern, and implementing test-driven development (TDD). It also provides examples of code to demonstrate key concepts, highlights best practices in error handling, and mentions tools like Jasmine for testing. Ultimately, it emphasizes continuous learning and improvement in coding through self-reflection and peer feedback.
2013-03-23 - NoSQL Spartakiade
2013-03-23 - NoSQL SpartakiadeJohannes Hoppe This document discusses different data modeling techniques for MongoDB including embedding documents, linking documents by ID, and handling many-to-many relationships. It provides code examples of saving documents, querying, and updating in MongoDB. It also briefly covers software testing strategies for MongoDB applications.
2013 02-26 - Software Tests with Mongo db
2013 02-26 - Software Tests with Mongo dbJohannes Hoppe The document outlines code snippets for using an in-memory embedded document store and MongoDB to perform complex test scenarios. It demonstrates initializing a document store and starting a MongoDB runner for database operations. There are references to specific packages and methods for database interactions.
2013-02-21 - .NET UG Rhein-Neckar: JavaScript Best Practices
2013-02-21 - .NET UG Rhein-Neckar: JavaScript Best PracticesJohannes Hoppe The document provides JavaScript best practices focusing on code quality, avoiding antipatterns like implied globals and eval, and recommendations for style like indentation and naming conventions. It also discusses testing with Jasmine including writing tests, making them pass, refactoring code, and repeating the test-driven development process. Modular code organization techniques like revealing module pattern and event publishing are also covered.
2012-10-16 - WebTechCon 2012: HTML5 & WebGL
2012-10-16 - WebTechCon 2012: HTML5 & WebGLJohannes Hoppe Das Dokument beschreibt eine VRML v2.0-Szene mit einer Kugelgestalt und spezifischen Materialien. Die Kugel hat einen Radius von 1,5 und ist grün gefärbt sowie stark reflektierend. Es enthält einen Link zu einer WebGL-Demonstration.
2012-09-18 - HTML5 & WebGL
2012-09-18 - HTML5 & WebGLJohannes Hoppe Das Dokument beschreibt ein VRML-Skript zur Erstellung einer 3D-Sphäre mit einem Radius von 1,5 und einer grünen, stark reflektierenden Oberfläche. Die Sphäre ist im Ursprung positioniert und Teil eines größeren 3D-Modells. Ein Link zur Demonstration in WebGL wird bereitgestellt.
2012-09-17 - WDC12: Node.js & MongoDB
2012-09-17 - WDC12: Node.js & MongoDBJohannes Hoppe The document discusses a 2006 live demo related to a solar tournament and includes code snippets demonstrating database queries and an HTTP server setup. It showcases a MongoDB entry with various fields like title, message, and categories. The overall focus is on handling asynchronous operations in JavaScript.
2012-08-29 - NoSQL Bootcamp (Redis, RavenDB & MongoDB für .NET Entwickler)
2012-08-29 - NoSQL Bootcamp (Redis, RavenDB & MongoDB für .NET Entwickler)Johannes Hoppe The document discusses various case files related to NoSQL databases, including practical coding examples for Redis, RavenDB, and MongoDB. It highlights the structure and functionalities of these databases while mentioning important concepts like scalability, consistency, and data modeling. The document also contains useful commands and operations for managing data within these systems.
2012-05-14 NoSQL in .NET - mit Redis und MongoDB
2012-05-14 NoSQL in .NET - mit Redis und MongoDBJohannes Hoppe Das Dokument enthält eine Sammlung von Befehlen und Beispielen zur Nutzung von MongoDB, einschließlich der Erstellung, Abfrage und Manipulation von Daten in Notizen, Blogs und Produktkategorien. Es beschreibt spezifische Datenmodellen und deren Beziehungen, wie die Verknüpfung von Produkten mit Kategorien. Zudem werden Chronologien und Entwicklungen in der NoSQL-Datenbank-Technologie sowie verwandte Modelle erwähnt.
2012-05-10 - UG Karlsruhe: NoSQL in .NET - mit Redis und MongoDB
2012-05-10 - UG Karlsruhe: NoSQL in .NET - mit Redis und MongoDBJohannes Hoppe Das Dokument beschreibt verschiedene MongoDB-Befehle zur Verwaltung von Notizen, Blogs, Kommentaren und Produktkategorien. Es zeigt Beispiele für das Hinzufügen, Aktualisieren und Abfragen von Daten in einer Datenbank. Zudem wird die Entwicklung von NoSQL-Datenbanken kurz angesprochen, einschließlich der historischen Aspekte von deren Entstehung.
2012-04-12 - AOP .NET UserGroup Niederrhein
2012-04-12 - AOP .NET UserGroup NiederrheinJohannes Hoppe 1. The document discusses applying architectural patterns and principles like logging, validation, transactions, and exception handling to business logic code in .NET.
2. It shows an example of refactoring a method that rents a book to a customer to add logging, validate method parameters, retry transactions using a scope, and handle exceptions.
3. By applying these techniques, the business logic is made more robust, maintainable, and aligned with best practices for .NET development.
2012-03-20 - Getting started with Node.js and MongoDB on MS Azure
2012-03-20 - Getting started with Node.js and MongoDB on MS AzureJohannes Hoppe This document serves as a guide for getting started with Node.js and MongoDB on Microsoft Azure, highlighting the capabilities of using these technologies in a Windows-hosted environment. It provides installation instructions, deployment steps, and integration tips for MongoDB with Azure. The conclusion emphasizes the stability of Node.js on Azure, but cautions against using MongoDB's development version in production.
2012-01-31 NoSQL in .NET
2012-01-31 NoSQL in .NETJohannes Hoppe Die Veranstaltung "Visual Studio für Windows-Entwickler" behandelte die Entwicklung mit NoSQL-Datenbanken wie MongoDB und RavenDB und deren Eigenschaften im Vergleich zu relationalen Datenbanken. Es wurden Konzepte wie Skalierung, Konsistenzmodelle und CRUD-Operationen vorgestellt, sowie die Implementierung und Verwendung beider Datenbanken erläutert. Zudem wurde auf bevorstehende Konferenzen und Veranstaltungen hingewiesen, die weitere Themen im Bereich Softwareentwicklung abdecken.
2011-12-13 NoSQL aus der Praxis
2011-12-13 NoSQL aus der PraxisJohannes Hoppe This document discusses NoSQL databases and provides an overview of MongoDB and RavenDB. It begins with trends driving the adoption of NoSQL databases like increasing data sizes, more connectedness, and individualization. It then covers concepts like horizontal scaling, schema flexibility, and CAP theorem. Specific sections provide information on MongoDB's BSON format, CRUD operations, and MapReduce. For RavenDB, it discusses the developer, deployment, indexing, and HTTP API. It concludes with questions about table to document mapping and key/index strategies.
2011-06-27 - AOP - .NET User Group Rhein Neckar
2011-06-27 - AOP - .NET User Group Rhein NeckarJohannes Hoppe The document provides an introduction to aspect-oriented programming with .NET. It discusses various cross-cutting concerns like logging, exceptions, validation, and caching that can be addressed using aspect-oriented programming. It also demonstrates how aspects are used to modify the intermediate language (IL) code to inject cross-cutting behavior before, after, and around method calls. Various aspect oriented programming frameworks for .NET are also mentioned.
DMDW 8. Student Presentation - Groovy to MongoDB
DMDW 8. Student Presentation - Groovy to MongoDBJohannes Hoppe The document outlines an ETL project to extract data from an Excel room-plan file, transform it into a new structure and data types, and load it into a database. It discusses exporting the CSV file from Excel and issues with encoding and delimiter. It then describes using a Groovy script to parse the file and handle inconsistent data. Finally, it notes putting the objects into the database and addressing problems around data conversion and structure.
Ad
Recently uploaded (20)
Artificial Intelligence in the Nonprofit Boardroom.pdf
Artificial Intelligence in the Nonprofit Boardroom.pdfOnBoard OnBoard recently partnered with Microsoft Tech for Social Impact on the AI in the Nonprofit Boardroom Survey, an initiative designed to uncover the current and future role of artificial intelligence in nonprofit governance.
AI VIDEO MAGAZINE - June 2025 - r/aivideo
AI VIDEO MAGAZINE - June 2025 - r/aivideo1pcity Studios, Inc AI VIDEO MAGAZINE - r/aivideo community newsletter – Exclusive Tutorials: How to make an AI VIDEO from scratch, PLUS: How to make AI MUSIC, Hottest ai videos of 2025, Exclusive Interviews, New Tools, Previews, and MORE - JUNE 2025 ISSUE -
OpenACC and Open Hackathons Monthly Highlights June 2025
OpenACC and Open Hackathons Monthly Highlights June 2025OpenACC The OpenACC organization focuses on enhancing parallel computing skills and advancing interoperability in scientific applications through hackathons and training. The upcoming 2025 Open Accelerated Computing Summit (OACS) aims to explore the convergence of AI and HPC in scientific computing and foster knowledge sharing. This year's OACS welcomes talk submissions from a variety of topics, from Using Standard Language Parallelism to Computer Vision Applications. The document also highlights several open hackathons, a call to apply for NVIDIA Academic Grant Program and resources for optimizing scientific applications using OpenACC directives.
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptxFIDO Alliance FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptxFIDO Alliance FIDO Seminar: Perspectives on Passkeys & Consumer Adoption
Enabling BIM / GIS integrations with Other Systems with FME
Enabling BIM / GIS integrations with Other Systems with FMESafe Software Jacobs has successfully utilized FME to tackle the complexities of integrating diverse data sources in a confidential $1 billion campus improvement project. The project aimed to create a comprehensive digital twin by merging Building Information Modeling (BIM) data, Construction Operations Building Information Exchange (COBie) data, and various other data sources into a unified Geographic Information System (GIS) platform. The challenge lay in the disparate nature of these data sources, which were siloed and incompatible with each other, hindering efficient data management and decision-making processes.
To address this, Jacobs leveraged FME to automate the extraction, transformation, and loading (ETL) of data between ArcGIS Indoors and IBM Maximo. This process ensured accurate transfer of maintainable asset and work order data, creating a comprehensive 2D and 3D representation of the campus for Facility Management. FME's server capabilities enabled real-time updates and synchronization between ArcGIS Indoors and Maximo, facilitating automatic updates of asset information and work orders. Additionally, Survey123 forms allowed field personnel to capture and submit data directly from their mobile devices, triggering FME workflows via webhooks for real-time data updates. This seamless integration has significantly enhanced data management, improved decision-making processes, and ensured data consistency across the project lifecycle.
Raman Bhaumik - Passionate Tech Enthusiast
Raman Bhaumik - Passionate Tech EnthusiastRaman Bhaumik A Junior Software Developer with a flair for innovation, Raman Bhaumik excels in delivering scalable web solutions. With three years of experience and a solid foundation in Java, Python, JavaScript, and SQL, she has streamlined task tracking by 20% and improved application stability.
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...BookNet Canada A collaboration-focused conversation on the recently imposed US and Canadian tariffs where speakers shared insights into the current legislative landscape, ongoing advocacy efforts, and recommended next steps. This event was presented in partnership with the Book Industry Study Group.
Link to accompanying resource: https://bnctechforum.ca/sessions/bridging-the-divide-a-conversation-on-tariffs-today-in-the-book-industry/
Presented by BookNet Canada and the Book Industry Study Group on May 29, 2025 with support from the Department of Canadian Heritage.
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...
Reducing Conflicts and Increasing Safety Along the Cycling Networks of East-F...Safe Software In partnership with the Belgian Province of East-Flanders this project aimed to reduce conflicts and increase safety along a cycling route between the cities of Oudenaarde and Ghent. To achieve this goal, the current cycling network data needed some extra key information, including: Speed limits for segments, Access restrictions for different users (pedestrians, cyclists, motor vehicles, etc.), Priority rules at intersections. Using a 360° camera and GPS mounted on a measuring bicycle, we collected images of traffic signs and ground markings along the cycling lanes building up mobile mapping data. Image recognition technologies identified the road signs, creating a dataset with their locations and codes. The data processing entailed three FME workspaces. These included identifying valid intersections with other networks (e.g., roads, railways), creating a topological network between segments and intersections and linking road signs to segments and intersections based on proximity and orientation. Additional features, such as speed zones, inheritance of speed and access to neighbouring segments were also implemented to further enhance the data. The final results were visualized in ArcGIS, enabling analysis for the end users. The project provided them with key insights, including statistics on accessible road segments, speed limits, and intersection priorities. These will make the cycling paths more safe and uniform, by reducing conflicts between users.
Edge-banding-machines-edgeteq-s-200-en-.pdf
Edge-banding-machines-edgeteq-s-200-en-.pdfAmirStern2 מכונת קנטים המתאימה לנגריות קטנות או גדולות (כמכונת גיבוי).
מדביקה קנטים מגליל או פסים, עד עובי קנט – 3 מ"מ ועובי חומר עד 40 מ"מ. בקר ממוחשב המתריע על תקלות, ומנועים מאסיביים תעשייתיים כמו במכונות הגדולות.
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptxFIDO Alliance FIDO Seminar: Authentication for a Billion Consumers - Amazon
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdf
Tech-ASan: Two-stage check for Address Sanitizer - Yixuan Cao.pdfcaoyixuan2019 A presentation at Internetware 2025.
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptxFIDO Alliance FIDO Seminar: New Data: Passkey Adoption in the Workforce
High Availability On-Premises FME Flow.pdf
High Availability On-Premises FME Flow.pdfSafe Software FME Flow is a highly robust tool for transforming data both automatically and by user-initiated workflows. At the Finnish telecommunications company Elisa, FME Flow serves processes and internal stakeholders that require 24/7 availability from underlying systems, while imposing limitations on the use of cloud based systems. In response to these business requirements, Elisa has implemented a high-availability on-premises setup of FME Flow, where all components of the system have been duplicated or clustered. The goal of the presentation is to provide insights into the architecture behind the high-availability functionality. The presentation will show in basic technical terms how the different parts of the system work together. Basic level understanding of IT technologies is required to understand the technical portion of the presentation, namely understanding the purpose of the following components: load balancer, FME Flow host nodes, FME Flow worker nodes, network file storage drives, databases, and external authentication services. The presentation will also outline our lessons learned from the high-availability project, both benefits and challenges to consider.
Security Tips for Enterprise Azure Solutions
Security Tips for Enterprise Azure SolutionsMichele Leroux Bustamante Delivering solutions to Azure may involve a variety of architecture patterns involving your applications, APIs data and associated Azure resources that comprise the solution. This session will use reference architectures to illustrate the security considerations to protect your Azure resources and data, how to achieve Zero Trust, and why it matters. Topics covered will include specific security recommendations for types Azure resources and related network security practices. The goal is to give you a breadth of understanding as to typical security requirements to meet compliance and security controls in an enterprise solution.
MuleSoft for AgentForce : Topic Center and API Catalog
MuleSoft for AgentForce : Topic Center and API Catalogshyamraj55 This presentation dives into how MuleSoft empowers AgentForce with organized API discovery and streamlined integration using Topic Center and the API Catalog. Learn how these tools help structure APIs around business needs, improve reusability, and simplify collaboration across teams. Ideal for developers, architects, and business stakeholders looking to build a connected and scalable API ecosystem within AgentForce.
Crypto Super 500 - 14th Report - June2025.pdf
Crypto Super 500 - 14th Report - June2025.pdfStephen Perrenod This OrionX's 14th semi-annual report on the state of the cryptocurrency mining market. The report focuses on Proof-of-Work cryptocurrencies since those use substantial supercomputer power to mint new coins and encode transactions on their blockchains. Only two make the cut this time, Bitcoin with $18 billion of annual economic value produced and Dogecoin with $1 billion. Bitcoin has now reached the Zettascale with typical hash rates of 0.9 Zettahashes per second. Bitcoin is powered by the world's largest decentralized supercomputer in a continuous winner take all lottery incentive network.
Providing an OGC API Processes REST Interface for FME Flow
Providing an OGC API Processes REST Interface for FME FlowSafe Software This presentation will showcase an adapter for FME Flow that provides REST endpoints for FME Workspaces following the OGC API Processes specification. The implementation delivers robust, user-friendly API endpoints, including standardized methods for parameter provision. Additionally, it enhances security and user management by supporting OAuth2 authentication. Join us to discover how these advancements can elevate your enterprise integration workflows and ensure seamless, secure interactions with FME Flow.
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptxFIDO Alliance FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...
FME for Good: Integrating Multiple Data Sources with APIs to Support Local Ch...Safe Software Have-a-skate-with-Bob (HASB-KC) is a local charity that holds two Hockey Tournaments every year to raise money in the fight against Pancreatic Cancer. The FME Form software is used to integrate and exchange data via API, between Google Forms, Google Sheets, Stripe payments, SmartWaiver, and the GoDaddy email marketing tools to build a grass-roots Customer Relationship Management (CRM) system for the charity. The CRM is used to communicate effectively and readily with the participants of the hockey events and most importantly the local area sponsors of the event. Communication consists of a BLOG used to inform participants of event details including, the ever-important team rosters. Funds raised by these events are used to support families in the local area to fight cancer and support PanCan research efforts to find a cure against this insidious disease. FME Form removes the tedium and error-prone manual ETL processes against these systems into 1 or 2 workbenches that put the data needed at the fingertips of the event organizers daily freeing them to work on outreach and marketing of the events in the community.
2013-06-25 - HTML5 & JavaScript Security
- 1. Security bit.ly/HTML5Sec Interaktive Version der Präsentation! Created by Johannes Hoppe
- 2. JohannesHoppe.de bit.ly/HTML5Sec Interaktive Version der Präsentation!
- 5. Ein Formular Username: Password: Login <form id="login" action="#"> Username: <input type="text" name="username"> Password: <input type="password" name="password"> <input type="submit" value="Login"> </form>
- 6. Formaction Username: Password: Login Klick mich! <form id="login" action="#"> Username: <input type="text" name="username"> Password: <input type="password" name="password"> <input type="submit" value="Login"> </form> <button type="submit" form="login" formaction="http://example.org"> Klick mich! </button>
- 7. SVG Presto, WebKit, Gecko und sogar Trident 9 <?xml version="1.0"?> <svg xmlns="http://www.w3.org/2000/svg" width="40" height="40"> <circle cx="20" cy="20" r="15" fill="yellow" stroke="black"/> <circle cx="15" cy="15" r="2" fill="black" stroke="black"/> <circle cx="25" cy="15" r="2" fill="black" stroke="black"/> <path d="M 13 26 A 5 3 0 0 0 27 26" stroke="black" fill="none" stroke -width="2"/> </svg>
- 8. SVG kann JavaScript enthalten! Test <?xmlversion="1.0"?> <svgxmlns="http://www.w3.org/2000/svg"width="200"height="50"> <defs><style> </style></defs> <circlecx="20"cy="20"r="15"fill="yellow"stroke="black"/> <circlecx="15"cy="15"r="2"fill="black"stroke="black"/> <circlecx="25"cy="15"r="2"fill="black"stroke="black"/> <pathd="M1326A530002726"stroke="black"fill="none"stroke-width="2"transform="rotate(180,2 0,28)"/> <textx="11"y="50"id="display">Test</text> <script> </script> </svg> <![CDATA[text{font-size:6pt;}]]> alert(document.cookie); document.getElementById('display').textContent=document.cookie;
- 9. Business as usual HTML5 es ist auch nicht schlimmer als HTML 4 » http://html5sec.org
- 11. Oldies but Goldies index.html?message=Daten gespeichert index.html?message=<script>alert('XSS')</script> <script> var message = $.url().param('message'); if (message) { Notifier.success(message); } </script>
- 12. Eval everywhere Eval is evil » Demo <!-- Self-executing onFocus event via autoFocus --> <input onfocus="alert('XSS onfocus')" autofocus> <!-- Video OnError --> <video><source onerror="javascript:alert('XSS onerror')"></video> <!-- Presto only: Form surveillance --> <form id=test onforminput=alert('XSS onforminput')> <input> </form> <button form=test onformchange=alert('XSS onformchange')>X</button> 1 2 3
- 13. OWASPOpen Web Application Security Project XSS Filter Evasion Cheat Sheet <!-- Long UTF-8 Unicode encoding without semicolons --> <IMG SRC="" onerror="al& #101rt('XSS');"> » Old IE Demo
- 14. XSS Vorbeugen
- 15. 1.Hier sollten dynamische Daten niemals verwendet werden <script> </script> <!-- HIER --> <div HIER="test"/> <HIER href="test" /> <style> </style> HIER HIER
- 16. 2.HTML escape dynamic data & → & < → < > → > " → " ' → ' / ' <div>HTML ESCAPE</div>
- 17. Testen? function htmlEncode(input) { // jquery.text == document.createTextNode return ($('<div/>').text(input).html()); } var saveFormat = function () { var args = Array.prototype.slice.call(arguments); var txt = args.shift(); $.each(args, function (i, item) { item = htmlEncode(item); txt = txt.replace("{" + i + "}", item); }); return txt; };
- 18. Testen! describe("saveFormat", function () { var original = '{0} - {1} - {2}'; it("should replace placeholders", function () { var expected = 'A - B - C'; var formated = saveFormat(original, 'A', 'B', 'C'); expect(formated).toEqual(expected); }); it("should encode injected content", function () { var expected = 'A - <b>TEST</b> - C'; var formated = saveFormat(original, 'A', '<b>TEST</b>', 'C'); expect(formated).toEqual(expected); }); });
- 19. Test finished in 0.004s •• No try/catch Jasmine 1.3.1 revision 1354556913 Passing2specs saveFormat should replace placeholders should encode injected content » Demo
- 20. Moment... describe("saveFormat", function () { var original = '<a title="{0}">Test</a>'; it("should replace quotes", function () { var expected = '<a title=""">Test</a>'; var formated = saveFormat(original, '"'); expect(formated).toEqual(expected); }); });
- 21. Richtig testen! finished in 0.005s x No try/catch Jasmine 1.3.1 revision 1354556913 Failing1spec 1spec|1 failing saveFormat should replace quotes. Expected '<a title=""">Test</a>' to equal '<a title=""">Test</a>'. Error: Expected '<a title=""">Test</a>' to equal '<a title=""">Test</a>'. at new jasmine.ExpectationResult (http://johanneshoppe.github.io/HTML5Security at null.toEqual (http://johanneshoppe.github.io/HTML5Security/examples/jasmine at null.<anonymous> (http://johanneshoppe.github.io/HTML5Security/examples/jas at jasmine.Block.execute (http://johanneshoppe.github.io/HTML5Security/example at jasmine.Queue.next_ (http://johanneshoppe.github.io/HTML5Security/examples/ » Demo
- 22. 3.Attribute escape dynamic data a-z A-Z 0-9 → immun , . - _ → immun Rest → &#xHH; <div attr="ATTRIBUTE ESCAPE"></div> <!-- NIEMALS ohne quotes! --> <div attr=ATTRIBUTE ESCAPE></div>
- 23. 4. DO NOTJavaScript escape dynamic data HTML parser runs before the JavaScript parser! you are doing it wrong
- 24. Das hier ist Alltag UserList.cshtml / Kendo UI Template # if(ID != 0) { # <a href="javascript:DialogManager.ShowPartialDialog('@Url.Action("UserM anagement", "Management")', { userId : '#= htmlEncode(ID) #' }, {title: '#= htmlEncode(Alias) #'})"#= htmlEncode(Alias) #</a> # } else { # #= htmlEncode(Alias) # # } #
- 25. ?Offensichtlich läuft beim Umgang mit Daten etwas prinzipiell falsch!
- 26. Storage
- 27. Egal ob Cookies ob Session Storage ob Local Storage ob WebSQL die Daten sind nicht vertrauenswürdig!
- 29. Vertraulichen Informationen gehören in die SERVER-Session!
- 31. WebSQL SQL Injection: Prepared Statement: executeSql("SELECT foo FROM bar WHERE value=" + value); executeSql("SELECT foo FROM bar WHERE value=?", [value]);
- 32. Kommunikation
- 33. Mashups! define(['jquery', 'knockout', 'knockout.mapping', 'domReady!'], function ($, ko, mapping) { var url ='http://search.twitter.com/search.json?q=%23xss&callback=?'; $.getJSON(url).done(function (data) { var viewModel = mapping.fromJS(data); ko.applyBindings(viewModel, $('#tweets').get(0)); }); });
- 34. Loading...
- 35. JSON JSON with Padding {"hello": "world"} <script> </script> <script src="http://search.twitter.com/search.json?q=%23dnc13&callback= foo"></script> var foo = function(json) { $('#output').text(JSON.stringify(json, undefined, 2)); }; foo({"hello": "world"}); » Demo
- 36. JSONP
- 37. SOP Same origin policy → Not macht erfinderisch (JSONP) CORS Cross-Origin Resource Sharing → Access-Control-Allow-Origin: * WebSockets do what you want
- 38. JS-Recon Shell of the Future
- 43. » Sicherheit von Web-Anwendungen