The latest articles on DEV Community by Vishwa Jay (@vishwajay). https://dev.to/vishwajay https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F935830%2F7b4afbf5-ab6e-4257-842e-70f066509433.jpeg https://dev.to/vishwajay en Vishwa Jay Mon, 10 Oct 2022 01:50:07 +0000 https://dev.to/vishwajay/explain-passwords-like-im-five-15ci https://dev.to/vishwajay/explain-passwords-like-im-five-15ci <p>While I was trying to create a new website (the hobby kind of site, not the business kind), I encountered a problem: user login.</p> <p>And yes, I'm a beginning coder. I need the five-year-old-level of this.</p> <p>My friend saw me code the more typical "one-uppercase, one-lowercase, one number, and one special character" version with a minimum of 12 characters. That that's when he hit me with both the US National Institute for Science and Technology (NIST) guidelines guidelines (<a href="https://specopssoft.com/blog/nist-800-63b/">800-63b</a>) and XKCD comic about <a href="https://xkcd.com/936/">Correct Horse Battery Staple</a>.</p> <p>But then someone else overheard, and sent me <a href="https://blog.diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/">this rather awful slippery-slope straw-man article</a>. And when I went to get the actual thinking behind each, I found there was more subjectivity than sound reasoning.</p> <p>The debate quickly devolved into each side calling the other side names like "idiot" and "fascist", while neither side really made its case (other than taking lots of time to show me "what ifs" and engage in slippery-slope, strawman, red herring, and various other fallacious arguments). </p> <p>So, what's the actual logic behind the answers? Can you please explain to me the actual thinking as if I'm five years old?</p> explainlikeimfive webdev security question Vishwa Jay Sun, 02 Oct 2022 16:56:21 +0000 https://dev.to/vishwajay/overcoming-execcommand-24d5 https://dev.to/vishwajay/overcoming-execcommand-24d5 <p><em><strong>Author's Note:</strong> It's my very first article on Dev.to, so apologies in advance if I seem a bit outside the norm.</em></p> <p>As a relative beginner in javascript, I don't always know what's what. But what I do know is that my first real learning JS project was a text editor that made <em>extensive</em> use of <code>execCommand()</code>. But inevitably, everything that isn't 100% great dies out. And with that understanding, it wasn't a complete shock that <code>execCommand()</code>'s API was being deprecated, and everyone was being told to move to the <code>Selection</code> and <code>Range</code> API's.</p> <p>Fully 90% (and probably more) of the web's WYSIWYG and text editors use <code>execCommand()</code>. I wasn't able to find a single WYSIWYG project on GitHub that didn't make use of the <code>execCommand()</code> API at some point in the code, except for those using Markdown (and even then, some part of the API was included in all but one of the cases). This isn't to say there isn't some great project I'm missing; it's merely pointing out the vast majority of the text-editing web runs on <code>execCommand()</code>'s API, sometimes without even realizing it.</p> <p>One of the things I've noticed from those few who don't run with <code>execCommand()</code> in their code is that there's a decided lack of "undo" at work. Meaning, that there isn't a <em>"detect if it's already there and undo the application of that particular command"</em> feature. There's no command history. There's no equal functionality. And it's not that I think someone should come up with it in anything under two years. Rather, I think it would be an amazing gesture to come up with a replacement set of API's which didn't have so many random parts on it.</p> <p>According to <a href="https://developer.mozilla.org/en-US/docs/Web/API/Document/execCommand">MDN's entry</a> about <code>document.execCommand()</code> there are lots of other APIs to replace it. But from the code perspective, it makes things more complicated, because we actually have to think about the code, and implement the things in our own unique ways. But there's no good answer out there as to a "best practices" kind of thing, so what we're looking at seems (from this end of time, at least) to be a time of uncertainty, where WYSIWYG editors are going to need vast amounts of overhaul and larger JS codebases to address what should have been simpler.</p> <p>And that's the point of this article: simplicity.</p> <p>If we're going to overcome something, we need it simpler than it is. We need to ensure that there's something akin to a "best practices" for WYSIWYG editors, so that they aren't unwieldy, insecure messes. The last thing we need is another amoeba, trying to be all things to all coders.</p> <p>But, being a beginner, I'm just one voice, and not a very loud one. My aim is to get us newbies to drive for simplicity (which is easier to secure, in most cases), to get us moving forward, and to actually, I don't know, <em>listen</em> to people who have ideas that work, instead of trying to say why they won't before they're even tested.</p> <p>Because, ultimately, it's the results that demonstrate why something works or not. And it needs to be simple enough to not cause older machines to bend under the weight of new code.</p> <p>Just ask <code>execCommand()</code>.</p> javascript webdev beginners