Server preventing colon character from being used

I have discovered an input field which accepts <img> and <h1> tags. I tried to use the events like onmouseover which is being stripped from the tag.

Example: If the input is <img src="a" onmouseover="alert(1)"> , the response is <img src="a">.

So it is not just for a single event, even an attribute like “onx” is being stripped off. Hence I tried to use the payload:

<img src="javascript:alert(1)"> 

Surprisingly, now the response is <img> which shows that this happens due to the character colon (:). If I use something like

<img src="javascript_alert(1)"> the response is given back the same way.

Is there anyway to bypass this?

Preventing boot from USB on Dell Inspiron 5559

So what I am looking for is a way to prevent anyone from booting from a USB drive on this specific Dell Inspiron 5559 so normally what I would have to do is to set an Admin password in BIOS that would prevent anyone from booting using a USB drive or change BIOS settings without the Admin password but the bad thing is the admin password could be easily bypassed using certain websites with the System Serial that appear in the message asking for the admin password I won’t post links here but you can search on Youtube and see for yourself so apparently that doesn’t work now I have windows 10 installed and I can use Bitlocker to encrypt my HDD and protect my Info but I am also trying to protect the HDD from sabotage ie formatting the HDD (without using external backup Drive) in short I want that if someone wanted to tamper with the laptop they would need to open the laptop casing and take the HDD out (or even the cmos battery if they tried to reset the BIOS settings) and I am OK with that.

Preventing Quota Theft of Embedded Service without API Key

The way the service works is that the user can embed content on their site, that is served from my servers. Usage is tracked in “views”, or how many times the src endpoint inside of the <iframe> has been called.

I am trying to find out a way to verify that the origin site of the request is indeed the customer’s, and not some other web server. Using an API key as a query parameter leaves the possibility to just copy the <iframe> element, and use the service for free, at the expense of the real customer.

Some methods that I have considered follow:

  • Using the origin/referrer header of the HTTP request
  • Using JavaScript to determine the origin site, then send for the data

The first of these methods can be defeated simply by sending a request to the endpoint from an AJAX request with the origin header set to a customer’s website.

The second may work provided the JavaScript method that requests the data is sufficiently obfuscated.

While I know that no solution is fool-proof, I am not quite satisfied with relying on the origin HTTP header to determine usage.

Are there any alternative methods that do not rely on the customer rotating code, api key or otherwise, to prevent quota theft? Thanks in advance.

Does preventing a creature from taking actions also prevent reactions?

I’m slightly confused by the use of the word “action” in the text. The section on “Reactions” states:

Certain special abilities, spells, and situations allow you to take a special action called a reaction…

And then there are times where you cannot take actions such as the dream spell which states:

[…] While in the trance, the messenger is aware of his or her surroundings, but can’t take Actions or move…

There are also time where something explicitly says you can’t take reactions like the Incapacitated condition which states:

An incapacitated creature can’t take actions or reactions.

And then there is this phrase from the section on “Bonus Actions”:

[…] anything that deprives you of your ability to take actions also prevents you from taking a bonus action.

There is no similar phrase in the “Reactions” section so I am left wondering:
If something, like the spell dream, prevents you from taking actions, but not reactions, can you still take a reaction?

How to still allow plain HTTP while preventing accidental use?

I have a website that must be available over both HTTP and HTTPS, however I only want people to use HTTP if they really need to (obviously). The idea I came up with is to have redirection to HTTPS, along with HSTS, on mydomain.com, and to offer plain HTTP on http.mydomain.com. I would ask search engines not to advertise my http subdomain, it should only be found via instructions on my site itself. This should prevent users from accidentally using HTTP and would also make the choice really explicit.

My question is what kinds of attacks I’m opening myself up to with this approach. Phishing attacks seem inevitable; an attacker might always trick a victim into using the insecure domain and hoping they won’t notice. I could show a permanent warning banner on my http site, but that would only help if the attacker is unable to modify the packets in flight. The second concern is DNS spoofing, where an attacker points mydomain.com to http.mydomain.com, or points http.mydomain.com to their own servers. However, more and more clients are DNSSEC-validating, and my website has DNSSEC enabled, so I’m hoping that attack vector will keep on shrinking.

Any things I’m missing? Is there a better approach to what I’m trying to do?

Preventing a long rest (player -> player)

Is there a potion or <= level 3 spell (or something else), or an in-game drug/root/plant/etc. that can be used to essentially prevent a player from sleeping for a certain amount of time, or otherwise disrupt and prevent a single long rest of an individual player?

From what I can tell, while there’s loads of ways to force somebody to sleep, there doesn’t seem to be any lower level means to force somebody to stay awake.

There’s the Dream and Nightmare spells, but they’re level 5.

Basically, I’m looking for some way for a player to intentionally prevent a specific other players’ long rest for a night.

When does the Shocking Grasp spell actually start preventing the target from taking reactions?

The shocking grasp spell’s description states:

On a hit, the target takes 1d8 lightning damage, and it can’t take reactions until the start of its next turn.

It is unclear to me when the reaction prevention actually occurs (on being hit or on taking damage).
I have found this Q/A where a comment from @DavidCoffron says:

[shocking grasp] interrupts the damage taking (which is the trigger), not the hit (which causes the reaction-block)

And then there is this Q/A where the following sentence exists in @chaoticgeek’s answer:

In addition you take damage and can’t take reactions together so if you can prevent the first you have to prevent the other since it is a chain linked by ‘and’ in this situation…

[T]he reaction prevention only comes with the damage that is dealt

Does the ‘and’ in shocking grasp link the clauses enough to make them simultaneous?


I do not believe that this Q/A is a duplicate of mine because I am specifically wondering when you are prevented from taking reactions, which (as the quotes above show) does not seem to be entirely agreed upon.

Does shocking grasp prevents the target from taking reactions once the spell hits them or once the spell damages them?

Preventing a SharePoint workflow from triggering every time I upload a new list item attachment?

I have a list in SharePoint where users can add requests, assign it to a user, and a workflow runs in the background to notify the user via email when something has been assigned to them.

Unfortunately we’ve had issues with MS Flow recently, so I was forced to build the workflow initially using SharePoint Designer (although I believe the principles should still be the same). So apologies for appearing old fashioned here.

SharePoint is very awkward when it comes to workflows that trigger only when a single field is changed and not the entire list item. Here is a screenshot of what I have in place, essentially it will only send an email if the ‘assigned to’ field has changed to a new person’s name. The workflow triggers every time the list item is modified.

enter image description here

This workflow works pretty well, however, we have a big problem when users are adding attachments to the list item. Every time I add a new attachment, it’s triggering this workflow and sending the email. I’m not really sure why, because the email should only send if the assigned to name has changed, but simply adding an attachment is causing the email to send. It means if users attach 5 documents in a row, the assigned to person receives 5 of the same email.

Does anyone know why this might be happening?

Interface for preventing certain items to be combinational with each other

Suppose that I have three lists with items [A1, …, A10], [B1, …, B10] and [C1, …, C10] and I apply the cartesian product on those lists. Then I will get [[A1, B1, C1], [A2, B1, C1], …]

Now I need a user interface that allows a user to define not allowed combinations, for example B1 and C1 cannot be in the same combination.

I have thought about a matrix, but that seems quite cumbersome with many items.

Item-level permission preventing workflow emails from sending

I have a SharePoint list in O365 called ‘Shift Requests’ where employees can submit a request to do overtime by covering a vacant shift. I have a simple workflow in SP Designer that does the following:

Status = Pending – Sends an e-mail to a supervisor to alert them to the request

Status = Approved – Sends an email to the employee to advise them they can cover the shift

Status = Rejected – Send an email to the employee to advise them they cannot cover the shift

The ‘pending’ e-mail sends correctly each time, but I can only get the e-mails to send for the approved/rejected status when the level permissions are set to “Read all items” and “Create and edit all items”.

Problem with this is it leaves the potential for unscrupulous employees to delete or edit other people’s shift requests. Is there a way to fix this either with permissions or a workflow action please?