Does moving a grappled foe through someone’s threatened area trigger an attack of opportunity?

If one has grappled a foe, and then succeeds on a check to maintain it, one of the options is:

You can move both yourself and your target up to half your speed. At the end of your movement, you can place your target in any square adjacent to you. If you attempt to place your foe in a hazardous location, such as in a wall of fire or over a pit, the target receives a free attempt to break your grapple with a +4 bonus.

The attack of opportunity (AoO) rules state that:

Moving out of a threatened square usually provokes attacks of opportunity from threatening opponents. There are two common methods of avoiding such an attack—the 5-foot step and the withdraw action.

  1. Does being moved out of a threatened square by someone else (in general, or while grappled) triggers an AoO?
  2. If it does, would that trigger the "if you attempt to to place your foe in a hazardous location" clause?

Is the DMG’s Disarm option an entire action, or a replacement for a single weapon attack?

My confusion comes from the somewhat ambiguous wording of the Disarm action as described in the Dungeon Master’s Guide (p. 271):

A creature can use a weapon attack to knock a weapon or another item from a target’s grasp. The attacker makes an attack roll contested by the target’s Strength (Athletics) check or Dexterity (Acrobatics) check. If the attacker wins the contest, the attack causes no damage or other ill effect, but the defender drops the item.

Two things stand out to me:

A creature can use a weapon attack

One way to interpret this is to mean that this is replacing a normal weapon attack, disarming the target instead of dealing damage. The other way to interpret this is that this weapon attack is special; that despite being called an attack, it’s intended to be its own action type.

If the attacker wins the contest, the attack causes no damage or other ill effect

This also stands out to me. If this were its own action, and not a replacement for a regular attack, then it wouldn’t be necessary to specify that damage is negated; it would simply be presumed to deal no damage.

What is the correct way to interpret this action? Is it its own action, or a replacement for a single attack as part of the Attack action? If a character gets the Extra Attack feature, can Disarm replace every attack they’re otherwise allowed to make?

Can the bonus action attack from Polearm Master be used to Disarm?

Polearm Master (PHB p. 168) gives you the ability to situationally make a bonus action attack:

When you take the Attack action and attack with only a glaive, halberd, or quarterstaff, you can use a bonus action to make a melee attack with the opposite end of the weapon. This attack uses the same ability modifier as the primary attack. The weapon’s damage die for this attack is a d4, and it deals bludgeoning damage.

The optional Disarm rule (DMG p. 271) allows a weapon attack to disarm rather than do damage:

A creature can use a weapon attack to knock a weapon or another item from a target’s grasp. The attacker makes an attack roll contested by the target’s Strength (Athletics) check or Dexterity (Acrobatics) check. If the attacker wins the contest, the attack causes no damage or other ill effect, but the defender drops the item.

Can you Disarm using the bonus action attack provided by Polearm Master? (obviously forgoing the damage roll).

Does a natural 1 end your attack progression

In many 3.5 games that I have played, a roll of a natural one on an attack roll is not just a miss, but it ends your attack progression. I thought this was an official rule, but I am not finding it anywhere. In fact, when I looked it up in the SRD, it just says that it is a miss. It does not say anything about ending the attack progression.

Am I misremembering? Is a roll of a natural 1 just a miss, and the creature may continue their attack progression as normal? If it is an actual official rule, could someone point me to its location?

In Pathfinder, how can my DM deal with my very high attack mod?

I recently joined an ongoing campaign with a level 8 fighter character and due to the amount of feats, weapon training, equipment, and especially buffs coming from the party bard… my character tends to have a stupidly high attack modifier that is stumping the DM because of their almost guarantee to hit. Hardly any other in my party (Druid/Bard/Rogue) come close to the attack rolls I manage to dish out. Which has been making me as a player feel kind of bad for just waltzing in with this seemingly powerhouse of a character, causing an imbalance difficult to deal with. He sucks in just about everything else skill and social wise.

Are there any good ways to combat a high attack mod?

How to prevent XSS attack on selected window.location in javascript

This is my code where i have a userId in a method SwitchUser_Click. I need to prevent or somehow encode the return value from the switchUser_Click as it includes the UserId of a user vulnerable to XSS attack or redirects.

function SwitchUser_Click(containerElement, OnSuccess) {             var selecteduserId = $  ("select", containerElement).val();             var makeDefault = $  (":checkbox", containerElement).is(":checked");             window.location = "Default.aspx?uId=" + selecteduserId + "&userActive=" + (makeDefault ? "1" : "0");             OnSuccess();         } 

The belows code is called from aspx page by using Client.RegisterScript and passing the parameters. This is the only place SwitchUser_Click method is used.

function OpenSwitchUser(UserId,modCode,defUrl) {             defaultUrl = defUrl;             var options =             {                 controlUrl: "~/Controls/SwitchUserDialog.ascx",                 params: { uid:UserId, mod: modCode},                 top: 70,                 width: 600,                 height: 2500,                 OKCallback: SwitchUser_Click,                 InitCallback: SwitchUserDialog_Init,                 cancelCallback: SwitchUser_Close             };             $  .showControlDialog(options);         } 

I want to know how to encode my userId in the SwitchUser_Click method and decode it when its called. Or maybe there is some other way to do this . Thank you

What is the weapon attack damage of a tentacle rod?

The tentacle rod’s description includes the following (emphasis added):

Made by the drow, this rod is a magic weapon that ends in three rubbery tentacles. While holding the rod, you can use an action to direct each tentacle to attack a creature you can see within 15 feet of you. Each tentacle makes a melee attack roll with a +9 bonus. On a hit, the tentacle deals 1d6 bludgeoning damage.

Answering this recent question, I concluded that the three attack feature of the tentacle rod is incompatible with extra attacks. In this older question, it was concluded that it is also incompatible with opportunity attacks.

However, I was then wondering, how making a normal weapon attack would work with the tentacle rod (without the three attacks property). This is clearly possible and in the case of the opportunity attack it can very well be worthwhile if you do not have better plans for your reaction. Usually, magic weapons have the respective item category (e.g. the scimitar of speed, which says "weapon (scimitar)") which defines a weapon damage in that those weapon types are detailed in the PHB (p. 149).

The description clearly states that the rod is a weapon (vide infra), its category, however, is rod. The magic item categories (DMG pp. 139-140) state that a magic staff can be used as a quarterstaff unless stated otherwise, while a rod is "A scepter or just a heavy cylinder". This was confirmed in this question about rod of the pact keeper.

It seems therefore, that the tentacle rod is a weapon by RAW but has no weapon type or weapon damage defined.

The rules on improvised weapons (PHB pp. 147-148) state:

An improvised weapon includes any weapon you can wield in one or two hands, such as broken glass , a table leg, a wagon wheel, or a dead goblin. Often an improvised is similar to an actual weapon an can be treated as such. For example, a table leg is akin to a club.

It further states:

An object that bears no resemblence to a weapon deals 1d4 damage (the DM assigns a damage type appropriate to the object).

Now the last part should not apply because the rod clearly is a weapon. I can simply decide what weapon the rod is like (probably a quarterstaff, club, or a whip). I am wondering, however:

Is there anything more clear on the subject, either additional rules on improvised weapons, or specific information on the tentacle rod, that would give guidance on the matter?

If my familiar is forced through my action, to drop a rock while over a target, is it an attack?

Here is the scenario:

My Familiar has a strength of two and can therefor carry 7lbs. (Str score X15 divided by 4 for being tiny (p176 PHB) )

I cast Reduce on a rock that weighs 56lbs making it weigh 7lbs.

I have my familiar fly over a target. Then as an action I cast Enlarge on the rock, cancelling out the reduce spell and enlarging the rock x8 making it weigh 448lbs. This is too much for the familiar to hold and it drops the rock. Not as an attack, but because it has no choice.

An alternative but similar thought for comparison. If I use an action to dismiss the familiar does it drop the rock? (ending concentration on the reduce spell and still dropping a 56lbs rock)

Does this count as an attack from the familiar, or because I used an action to cause it, is it my attack?

Does hashing client-side increase attack surface (assuming TLS and serverside salt+hash)? [duplicate]

This question asks whether one should hash on the client or the server. I want to know if there is any reason, aside from having to maybe handle one extra hashing library (if it’s not already in your security stack), why you wouldn’t want to hash both on the client and on the server. Extra code complexity is fine, you are just invoking one extra pure-functional method.

Workflow: User submits username/password. Assert the usual password strength check. Submit HTTPS username=username and password2=cryptohash(password). Backend generates salt := make_nonce() and stores username=username, salt=salt, key=cryptohash(password2 + salt).

I ask because I still see lots of websites which set a maximum number of characters to some obnoxiously small number, like 16, 14, 10, or even 8 (I’m fine if you want to cap at 64). Also many limit the types of characters you can input. Ostensibly, this is to protect against buffer overflows, escapes, injection attacks, etc, as well as avoid under-defined internationalization behavior. But why not just take that field and run SomeHash.ComputeHash(Encoding.Unicode.GetBytes(value)), ideally a key-derivation function? That’ll take any trash you could put into that field and yield nice random bytes.

This question and this question are kinda similar, but mostly addresses whether you’d want to do only client-side hashing from a security point of view. I’m assuming the security would be at-least-as-good-as regular password form submission.