Should read-only text appear as plain text or in a read-only textbox?

Should I use labels for read-only information, or should I use read-only text boxes to maintain the look of the fields?

It seems to me that if something is in a textbox it implies there is some way to edit it, whereas plain text is explicitly read-only.

Update: While my question is similar to Locking input form fields, does it make sense?, mine is different in that I’m referring to fields that are never editable by anyone. It’s not based on the user’s rights or role.

mockup

download bmml source – Wireframes created with Balsamiq Mockups

Should read-only text appear as plain text or in a read-only textbox?

Should I use labels for read-only information, or should I use read-only text boxes to maintain the look of the fields?

It seems to me that if something is in a textbox it implies there is some way to edit it, whereas plain text is explicitly read-only.

Update: While my question is similar to Locking input form fields, does it make sense?, mine is different in that I’m referring to fields that are never editable by anyone. It’s not based on the user’s rights or role.

mockup

download bmml source – Wireframes created with Balsamiq Mockups

What is the source for 5e defaulting to plain English readings of non-game terms?

In many discussions involving rules interpretations the meaning of words is often called into question. Often, people will claim that if the game doesn’t define the term that it defaults to the plain English reading of the word.

Is this stated somewhere explicitly in the rules or in designer comments? What is the source (or sources) for this claim?

What is the source for 5e defaulting to plain English readings of non-game terms?

In many discussions involving rules interpretations the meaning of words is often called into question. Often, people will claim that if the game doesn’t define the term that it defaults to the plain English reading of the word.

Is this stated somewhere explicitly in the rules or in designer comments? What is the source (or sources) for this claim?

Oauth2 PKCE – What security does “S256” provide over “plain”?

The Oauth PKCE protocol flow is as follows, as defined in RFC 7636:

                                             +-------------------+                                              |   Authz Server    |    +--------+                                | +---------------+ |    |        |--(A)- Authorization Request ---->|               | |    |        |       + t(code_verifier), t_m  | | Authorization | |    |        |                                | |    Endpoint   | |    |        |<-(B)---- Authorization Code -----|               | |    |        |                                | +---------------+ |    | Client |                                |                   |    |        |                                | +---------------+ |    |        |--(C)-- Access Token Request ---->|               | |    |        |          + code_verifier       | |    Token      | |    |        |                                | |   Endpoint    | |    |        |<-(D)------ Access Token ---------|               | |    +--------+                                | +---------------+ |                                              +-------------------+ 

My question is: why do we need to use a trapdoor like S256 in step (A)?

According to the RFC’s threat model, a malicious app cannot intercept the outgoing communication in (A) or (C). So why can’t an app generate and temporarily store a random value in (A) and re-use it in (C)?

To elaborate: the goal of t(code_verifier) (ie S256(code_verifier)) is to later enable the app to prove to the server that it is indeed the app as it possess code_verifier before the transform.

However, if the app just sent code_verifier and later sent it again, the same guarantee is achieved: the server receives a random value that uniquely identifies the app, and receives it again. No other app can provide this value: as long as the connection isn’t intercepted (and it shouldn’t be – TLS), S256 seems unnecessary.

Jquery change event on miltiline text field (plain text)

I have tried to set up an onchange event to be triggered on a Multiline (Plain) Text field. I have tried all the following without luck.

$  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").change(function(){ alert('Action 1');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).bind('input', function() { alert('Action 2');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).on('input', function() { alert('Action 3');});  $  ("input[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']").change(function(){ alert('Action 3');});  $  ($  ("input[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).change(function(){ alert('Action 4');});  $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").contents().change(function(){ alert('Action 5');});  $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").change(function(){ alert('Action 6');});  $  ("textarea[Title='Identified Tasks']").closest("span").change(function(){ alert('Action 7');});  $  ("textarea[title='Identified Tasks']").change(function(){ alert('Action 8');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).change(function(){ alert('Action 9');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).closest("span").change(function(){ alert('Action 10');});  $  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).children().change(function(){ alert('Action 11');});  $  ($  ("[id^=Identified_x0020_Tasks]")[0]).change(function(){ alert('Action 12');});  var systemDescriptionRTE = $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").contents().find("body");   ar systemDescriptionRTE = $  ("textarea[Title='Identified Tasks']").closest("span").find("iframe[Title='Rich Text Editor']").contents().find("body").find("span");     $  (systemDescriptionRTE).change(function(){ alert('Action 13');});  $  ("textarea[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']").change(function(){ alert('Action 14');});  $  ("textarea[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte'][0]").change(function(){ alert('Action 15');});  $  ("textarea[title='Identified Tasks']").change(function(){ alert('Action 16');});  $  slogDiv.on('change', function(e){ alert('Action 18');});  var $  slogDiv = $  ("[id^='Identified_x0020_Tasks'][id$  ='$  TextField_inplacerte']");    $  slogDiv.on('change', function(e){ alert('Action 20');}); 

The following code does work

var $  slogDiv = $  ("[id^='Identified_x0020_Tasks'][id$  ='$  TextField_inplacerte']");   $  slogDiv.on('click keyup', function(e){ alert('Action 19');});  alert($  ($  ("[id^=Identified_x0020_Tasks][id$  ='$  TextField_inplacerte']")[0]).text()) 

So I seem to have the selector correct. Any ideas on how to attach a change event on it?

The clickup event does work, but multiple times, not just once as expected from a change event.

Any suggestions on what coding I need?

How to still allow plain HTTP while preventing accidental use?

I have a website that must be available over both HTTP and HTTPS, however I only want people to use HTTP if they really need to (obviously). The idea I came up with is to have redirection to HTTPS, along with HSTS, on mydomain.com, and to offer plain HTTP on http.mydomain.com. I would ask search engines not to advertise my http subdomain, it should only be found via instructions on my site itself. This should prevent users from accidentally using HTTP and would also make the choice really explicit.

My question is what kinds of attacks I’m opening myself up to with this approach. Phishing attacks seem inevitable; an attacker might always trick a victim into using the insecure domain and hoping they won’t notice. I could show a permanent warning banner on my http site, but that would only help if the attacker is unable to modify the packets in flight. The second concern is DNS spoofing, where an attacker points mydomain.com to http.mydomain.com, or points http.mydomain.com to their own servers. However, more and more clients are DNSSEC-validating, and my website has DNSSEC enabled, so I’m hoping that attack vector will keep on shrinking.

Any things I’m missing? Is there a better approach to what I’m trying to do?

Employer stores plain text personal data in a ‘data warehouse’

I’m unsure if I have posted this in the correct community but the organisation I am currently working for currently uses an SQL ‘data warehouse’ which contains a bunch of tables from various sources, for various purposes. This data warehouse (as far as I can tell) has two or three environments; Dev, QA and Production.

I was recently granted access to the development data warehouse SQL server for a software development project I am working on and found a number of tables containing sensitive employee data from 2012-2013, in plain text (including National Insurance Numbers, Next of kin details, qualification details, addresses, phone numbers, car registrations etc.).

This development server is accessed by a number of developers within my organisation (including myself) for various projects.

1) I don’t think this data should be stored on the development environment (I believe everything was copied back from Production server at some point).

2) I don’t think these details should be stored in plain text for anyone to see via a simple SQL query.

3) I don’t believe that myself and other developers within the organisation should have free access to these tables.

I’m fairly certain that my employer is not aware of this and are actually storing all of this information in plain text, in the production environment. I also think that this breaches some sort of privacy or GDPR law.

I’ve spoken to my manager about this but they seem to be glossing over it and ignoring the issue/ not wanting to get involved.

How do I report this without getting into trouble myself, for viewing these tables?

EDIT: I had to request permission to gain access to this data warehouse server. I only have access to the development server and as I was browsing through the tables to find the one required for my project, I came across the ones which contain sensitive data. Being curious, I ran a simple ‘SELECT TOP 1000 ROWS’ query and it came back with the sensitive data.

Why do web browsers provide websites with plain text passwords?

Suppose I sign up for website.com with username “John” and password “Secret”.

Currently the webbrowser supplies website.com with my real plain text password, and we must trust them to salt and hash it properly so that if they are hacked, damage to users is minimized.

Why don’t web browsers hash and salt your password for you? What would the downsides be if instead, it communicated:

username: John password: Sha256("website.com|john|Secret") =>  "655cd29ded358433da16867b682c21621664d26b9ca493ab224488dffce17050" 

Maybe it’s not the best scheme in the world, but is it worse than nothing at all?

With this scheme websites would have to keep track of which domain you signed up under, and you would probably want to modify the username to be all lowercase in the hash function so that the web browser communicates the same password no matter how you case your username.

The reason I suggest including domain or some other company id in the hash is so that rainbow tables can’t be used for more than one site at a time.

Plain Text validation on presave function sharepoint

I have OOTB list. On new item adding I want to validate, on drop-down selection if value is USA three multi-line text box will show with mandatory field. I know we have to write validation on PreSave function but I like to have validation like SharePoint OOTB not alert.

Below is my code:

$  (document).ready(function(){     $  ('nobr:contains("Email Subject")').closest('tr').hide();      $  ('nobr:contains("Email Body")').closest('tr').hide();     $  ('nobr:contains("End SLA")').closest('tr').hide();      //Show/hide columns based on Drop Down Selection      $  ("select[title='Country']").change(function() {         if ($  ("select[title='Country']").val() == "USA")          {             $  ('nobr:contains("Email Subject")').closest('tr').show();              $  ('nobr:contains("Email Body")').closest('tr').show();             $  ('nobr:contains("End SLA")').closest('tr').show();          }          else          {             $  ('nobr:contains("Email Subject")').closest('tr').hide();              $  ('nobr:contains("Email Body")').closest('tr').hide();             $  ('nobr:contains("End SLA")').closest('tr').hide();          }     }); });