Pen Settings

HTML

About HTML Preprocessors

HTML preprocessors can make writing HTML more powerful or convenient. For instance, Markdown is designed to be easier to write and read for text documents and you could write a loop in Pug.

Learn more · Versions

Adding Classes

In CodePen, whatever you write in the HTML editor is what goes within the <body> tags in a basic HTML5 template. So you don't have access to higher-up elements like the <html> tag. If you want to add classes there that can affect the whole document, this is the place to do it.

About the <head>

In CodePen, whatever you write in the HTML editor is what goes within the <body> tags in a basic HTML5 template. If you need things in the <head> of the document, put that code here.

!
Insecure Resource

The resource you are linking to is using the 'http' protocol, which may not work when the browser is using https.

CSS

About CSS Preprocessors

CSS preprocessors help make authoring CSS easier. All of them offer things like variables and mixins to provide convenient abstractions.

Learn more · Versions

CSS Base

About CSS Base

It's a common practice to apply CSS to a page that styles elements such that they are consistent across all browsers. We offer two of the most popular choices: normalize.css and a reset. Or, choose Neither and nothing will be applied.

Vendor Prefixing

About Vendor Prefixing

To get the best cross-browser support, it is a common practice to apply vendor prefixes to CSS properties and values that require them to work. For instance -webkit- or -moz-.

We offer two popular choices: Autoprefixer (which processes your CSS server-side) and -prefix-free (which applies prefixes via a script, client-side).

Add External Stylesheets/Pens

Any URLs added here will be added as <link>s in order, and before the CSS in the editor. You can use the CSS from another Pen by using its URL and the proper URL extension.

Powered by Algolia
About External Resources

You can apply CSS to your Pen from any stylesheet on the web. Just put a URL to it here and we'll apply it, in the order you have them, before the CSS in the Pen itself.

You can also link to another Pen here (use the .css URL Extension) and we'll pull the CSS from that Pen and include it. If it's using a matching preprocessor, use the appropriate URL Extension and we'll combine the code before preprocessing, so you can use the linked Pen as a true dependency.

Learn more

+ add another resource

JavaScript

About JavaScript Preprocessors

JavaScript preprocessors can help make authoring JavaScript easier and more convenient.

Learn more · Versions

Babel includes JSX processing.

Add External Scripts/Pens

Any URL's added here will be added as <script>s in order, and run before the JavaScript in the editor. You can use the URL of any other Pen and it will include the JavaScript from that Pen.

Powered by Algolia
About External Resources

You can apply a script from anywhere on the web to your Pen. Just put a URL to it here and we'll add it, in the order you have them, before the JavaScript in the Pen itself.

If the script you link to has the file extension of a preprocessor, we'll attempt to process it before applying.

You can also link to another Pen here, and we'll pull the JavaScript from that Pen and include it. If it's using a matching preprocessor, we'll combine the code before preprocessing, so you can use the linked Pen as a true dependency.

Learn more

+ add another resource

Packages

Add Packages

Search for and use JavaScript packages from npm here. By selecting a package, an import statement will be added to the top of the JavaScript editor for this package.

Powered by Algolia
About Packages

Using packages here is powered by esm.sh, which makes packages from npm not only available on a CDN, but prepares them for native JavaScript ESM usage.

All packages are different, so refer to their docs for how they work.

If you're using React / ReactDOM, make sure to turn on Babel for the JSX processing.

Behavior

Auto Save

If active, Pens will autosave every 30 seconds after being saved once.

Auto-Updating Preview

If enabled, the preview panel updates automatically as you code. If disabled, use the "Run" button to update.

Format on Save

If enabled, your code will be formatted when you actively save your Pen. Note: your code becomes un-folded during formatting.

Editor Settings

Code Indentation

Want to change your Syntax Highlighting theme, Fonts and more?

Visit your global Editor Settings.

HTML
!

CSS
!

JS 

              
                // JavaScript has several security concerns that can be exploited by hackers: 

// Different browsers interpret JavaScript in various ways, leading developers to use deprecated code or compatibility workarounds, which can introduce vulnerabilities.
// JavaScript can expose users to security risks and unwanted behavior, leading many to block it entirely.
// Variations in how browsers handle JavaScript, such as with document.write, can cause inconsistent behavior.
// Malicious JavaScript code can cause browsers to crash or freeze.
// It can manipulate frame-to-frame URL changes, posing security risks.
// JavaScript can bypass security features using signed scripts to gain additional privileges.
// Cross-site scripting (XSS) is a common and dangerous attack method using JavaScript.
// JavaScript can access and modify files on a user’s device, especially through cookies.

/////////////////// Browser vs. Operating System Security

// Understanding the difference between browser and operating system security helps protect against malicious software. The operating system (e.g., Windows, Mac, Linux) runs various applications, including web browsers like Chrome, Firefox, Edge, and Safari. Browsers act as gateways between your computer and the internet, making them potential entry points for security threats.

// Securing Browsers and Operating Systems

// Operating systems are typically secured with antivirus software (e.g., Norton, McAfee, AVG). Browsers can be further protected by using updated versions and pop-up blockers. Specialized programs like STOPzilla and Ad-Aware help detect malware. Always install the latest updates and patches for both your operating system and browser to maintain security.

// Browser Security Issues

// Most browsers, old and new, have security vulnerabilities. As these are discovered, vendors release patches, but new versions often bring new issues. Hackers continuously exploit these weaknesses for malicious purposes.

// Example Issues in Recent Browsers

// A common scam involves pop-ups claiming the user's browser is infected, prompting them to click a link that launches a virus. Such attacks can also be triggered by keyboard actions like CTRL+ALT+DELETE, making them particularly dangerous.

// Developer and User Security Tips

// Users should keep browsers updated to the latest stable version, use pop-up blockers, and maintain up-to-date antivirus software.
// Developers should avoid risky practices, use standards-based code, minimize browser-specific code, and avoid deprecated features.

////////////////Script Blocking 

// JavaScript adds interactivity and visual effects to webpages but can also pose problems, such as malicious or annoying scripts (e.g., pop-up ads). To counter this, many browsers and third-party tools block JavaScript by default, or users can install add-ons like AdBlock Plus to selectively block scripts from untrusted sources. Anti-virus software also offers script-blocking features.

// Impact on Developers
// Developers should account for script blocking when designing websites. If critical site functions rely on JavaScript, inform users or provide alternatives for those blocking scripts, ensuring site functionality for all users.

//the <noscript> tag can be used to add HTML to display if javascript is disabled. 

//////////////Malicious and Accidental Coding:

// Both accidental and malicious errors can cause issues like infinite loops, which lock or crash the browser. To stop these, users must force-quit the browser (CTRL+SHIFT+ESC on Windows or CMD+OPT+ESC on Mac). 

//////////////Frame-To-Frame URL changing 

// Frames divide a browser window into multiple sections, so that content in one section can be reloaded without having to reload the whole page. They are not used that often anymore, but the iframe element is still used to contain things like videos from external sources.  

//Content from external sources can expose sites to vulnerabilities like malicious code injection and use of copyrighted content. 

//Iframes are vulnerable due to lack of security indicators or address bars. 

//Browsers now use the same-origin policy, which limits how frames interact. A frame can only change the location of another frame if they share the same protocol, host, and port. 

///////////// Cross-Site Scripting (XSS)

// Cross-site scripting (XSS) is a type of code injection attack in which an attacker injects malicious scripts into webpages viewed by other users. 
//XSS can be used to steal sensitive information like cookies, passwords, and other user data. This type of attack is one of the most common web security vulnerabilities, often targeting websites with input fields, such as search bars or comment sections.

// How XSS Works
// XSS attacks typically start with an attacker creating a malicious hyperlink, often masked to appear legitimate. Once a user clicks the link, the malicious script executes in their browser. If the website is vulnerable, the script can collect sensitive data or hijack the user’s session.

// Types of XSS Attacks

// There are three main types of XSS attacks:

// Reflected (Non-Persistent) XSS:

// The most common type.
// Occurs when a website immediately displays user input (for example search results) without proper validation or encoding.

// Persistent (Stored) XSS:

// More powerful and dangerous than reflected XSS.
// The malicious script is stored on the server and later delivered to users.

// DOM-Based XSS:

// Occurs when a vulnerability exists in client-side code.
// Example: An attacker crafts a URL that injects a script via a vulnerable page’s client-side code..

// What JavaScript Developers Can Do to Prevent XSS

// Output Encoding:

// The best defense mechanism is output encoding, where you take potentially harmful characters from user input and convert them into a safe format before displaying them on a webpage.

// Input Validation:

// Validate and sanitize user input to prevent malicious data from being submitted.

// Secure Cookies:

// Since XSS attacks often target session cookies, consider binding session cookies to a specific user’s IP address. This limits the attacker’s ability to hijack sessions if they manage to steal a cookie.

// Script Blocking:

// Users can block JavaScript entirely in their browsers to prevent script-based attacks. However, this comes at the cost of reducing web functionality and interactivity.

/////////////Cookies and Security 

// Cookies are small data files sent to a client’s browser, often by a server, and stored in memory or on the hard drive. They track user visits and maintain state across sessions.

// Types:

// Persistent Cookies: Stored on the hard drive and can last for years unless deleted.
// Session Cookies: Temporary and deleted after the user leaves the site.

// Why Use Cookies?

// Authentication: Store login info to simplify user access.
// User Information: Gather data like OS, browser type, and browsing history.
// State Maintenance: Remember user preferences or progress in applications.

// Storing Cookies

// Cookies are stored as name=value pairs. 
// Browsers typically allow 30-50 cookies per domain, deleting the oldest when limits are reached.

// Browser Cookie Management

// Users can delete or disable cookies, affecting site functionality. Testing for cookie presence is essential for applications relying on them.

// Assigning Cookies with JavaScript

// Use the document.cookie property:

document.cookie = "name=value"; 

//To set expiration and security:

document.cookie = "name=value; expires=date; secure";

//Testing for Cookie Presence

//To check cookies, use:

//alert(document.cookie);

//This displays all cookies associated with the current page. 

////////////////////////Ethics

// Developers collect user data for various purposes, but ethical considerations are crucial. Users expect their data to be protected and used responsibly. Data misuse can lead to legal consequences. 

// Legal Responsibilities

// Web developers must understand the legal landscape regarding user data, which varies internationally. Familiarity with regulations like GDPR, the U.S. Privacy Act, and HIPAA is essential. 

// Local vs. International Laws

// Data protection laws differ across countries. Developers should be aware of these variations when creating applications that could be used globally or by different age groups. 

// User Notification

// Users have the right to know how their data will be used. They should be informed about:

// Data handling and storage practices
// Reasons for data collection
// Storage duration
// Assurance of proper data use
// Potential sharing with third parties
// In some cases, user consent is required, especially for sensitive data. Developers should ensure transparency in data practices to build trust with users.
!
999px

Console