Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?

I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the System.Text.Json namespace.

public async Task<IActionResult> Put([FromBody]JsonElement json) {     string result = JsonSerializer.Serialize(json); } 

However currently, the json is rendered back to the page, within a script block and using @Html.Raw(), which raised an alarm with me, when I reviewed the code.

While testing if this creates an opening for script injection, I added

<script>alert("HACKED");</script> 

to the input. This input is transformed into

\u003Cscript\u003Ealert(\u0027HACKED\u0027);\u003C/script\u003E 

when serialized.

This look fine. Rendering this to the page does not result code execution, when I tested that.

So, is unicode character encoding really a good protection against script injection, or should I not rely on it?

Is it conceivable that unicode encoding is lost somewhere during processing? Like (de)serializing once more, etc?

This seems like a question that has been asked and answered before, but I couldn’t find it.

LinkedIn connection marked unsafe

From time to time my LinkedIn connection gets marked as unsafe: no green lock next to the URL.

First, I believed this was a browser issue, but after I switched to another browser, the warning did not disappear (for now, my browsers are Opera and Chrome).

First, connection is always safe, but once I enter job search section and start scrawling through job offers, every now and then, although not often, the safe connection status turns into unsafe. Any one has an idea of what may cause such change?

Thanks for your attention.

The enclosed images further illustrate my question.

enter image description here

enter image description here

Is it really that unsafe to store passwords in a text file on my computer?

These days, we have pretty secure systems.
I have a mac with T2 security chip and the whole disk is encrypted via FileVault.
iPhones are known to be pretty secure, with even FBI having a hard time breaking in.
Windows machines can be encrypted with BitLocker or VeraCrypt.
With these kinds of systems, is it really that unsafe to store passwords in a text file? for an average individual user?
Of course if I’m operating a server or anything like that, I would definitely need better security. But I was wondering how much security does and average individual user really need?

Google’s “Cross-client identity” seems unsafe

From Google’s Cross-client identity document:

Cross-client access tokens

[…]

The effect is that if an Android app requests an access token for a particular scope, and the requesting user has already granted approval to a web application in the same project for that same scope, the user will not be asked once again to approve. […]

This seems unsafe. The server-side app is able to do a more secure form of OAuth authorization, because it can protect its client secret. An Android app’s OAuth flow is less safe, since an attacker can always decompile the binary and steal any embedded tokens.

This is the scenario I’m worried about:

  1. I register two client IDs, one for my server-side web app and one for my Android app.
  2. User X authorizes my server-side app.
  3. An attacker steals the Android app’s OAuth-related tokens.
  4. The attacker sends user X through the OAuth flow using the stolen tokens, and Google doesn’t ask for approval.
  5. The attacker now has an access token to user X’s account.

Am I misunderstanding something here?

Some input files use unchecked or unsafe operations. Clean and Build error: Netbeans

Tengo un problema que apareció desde que empece a utilizar la clase Class Render para cambiar la fila de color en mi JTable en java (Netbeans), No es un error grave si no que es un mensaje que aparece al darle Clean and Build en la consola y es el siguiente:

Note: Some input files use unchecked or unsafe operations. 

Note: Recompile with -Xlint:unchecked for details.

Este “error” aunque me permite correr mi programa normalmente en cualquier computador tiene una particularidad y es que en mi PC si aparece las filas de color y en los otros PC en los que lo también lo ejecuto: ¡NO!. He intentado buscar una explicación en ingles pero no he logrado nada, cualquier ayuda me serviría. Gracias

What to do after visiting unsafe site

I’m sorry if this isn’t the place to ask this, but there doesn’t seem to be a web security stack exchange site, so this looks like the closest thing to me. If there’s a better place to put this question please let me know.

I’m using Firefox on Ubuntu and I accidentally clicked an ad that took me to an obvious scam site. There’s no changed behavior on my computer, but just to be safe I’d like to know what you should do after visiting an unsafe site. Thanks

Is it unsafe to enter administrative Windows credentials when logged in as a regular user?

I was recently advised that when a user is logged in as a regular user and they need an administrator to do something (i.e. install an application) that entering the administrator credentials when the regular logged in user is still logged in, puts the credentials at great risk and logging out as the regular user and logging in as the administrator is the recommended course of action. Is this correct?

Why is unistd’s getpass unsafe?

While reading about how to properly ask a user for a password in CLIs, this SO answer and this SSE answer recommend the usage of unistd‘s getpass.

However, this function is being documented as obsolete and multi-thread unsafe. I fail to understand how the recommended replacement (using termios with echo disabled, example in this answer) is more secure than getpass. I was also wondering if getpass was safe to use in a single-thread program.

Angular application security error: Sanitizing unsafe style value

In my angular app, initially, I used bypassSecurityTrustStyle(value: string) and it worked but in security testing of my application, it gave error Angular Usage of Unsafe DOM Sanitizer.

In this blog, it’s beautifully explained why not to skip sanitization and how to manually sanitize a value. But I could not figure out how to sanitize a CSS styling manually using SecurityContext.STYLE

Error:

WARNING: sanitizing unsafe style value linear-gradient(135deg, rgba(0, 0, 0, 0.7) 100%, rgb(117, 79, 182) 100%) (see http://g.co/ng/security#xss)

safeUrl unsafe

getBgUrl(category: ICategory): SafeStyle {   console.log('safeUrl', this.sanitizer.sanitize(SecurityContext.STYLE, `linear-gradient(135deg, rgba(0, 0, 0, 0.7) 100%, rgb(117, 79, 182) 100%)`));   // return this.sanitizer.bypassSecurityTrustStyle(`linear-gradient(135deg, rgba(0, 0, 0, 0.7) 30%, $  {this.gradientColors[category.id % 5]} 100%), url($  {category.thumbnail})`); }  
<div class="explore-grid"> <mat-card    *ngFor="let category of categories"   [style.background-image]="getBgUrl(category)"   [routerLink]="['/Category',category.id]">     <span>{{category.name}}</span> </mat-card> </div>