]]>
本文介紹中文字號、磅(pt)和像素(px)的對照關系,方便大家設計網頁時參考合適的字號,一般網頁正文字體為12px到16px,相當于9-12磅字號大小,標題文字可以稍大一點,具體參見下文表格字體大小,本文內容來源于網絡匯總,做了點補充,如有錯誤,歡迎指出。
一、基本單位概念
| 單位 | 中文名稱 | 轉換 |
| inch | 英寸 | 1英寸=2.54厘米 |
| cm | 厘米 | |
| pt | 磅或點數,是point簡稱 | 1pt=1/72(英寸) |
| px | 像素,是pix簡稱 | |
二、中文字號大小、磅和像素對照關系
下表參照顯示器96dbi(每英寸點數)顯示進行換算結果。比如:6.5pt = 6.5 * 1/72 * 96 = 8.6px,像素肯定不能出現小數點的,一般是取小顯示。下表字體已經按照各行所代表的字號大小進行顯示。
| 字號 | 磅(pt) | 像素(px) |
| 小六 | 6.5 | 8px |
| 六號 | 7.5 | 10px |
| 小五 | 9 | 12px |
| 五號 | 10.5 | 14px |
| 小四 | 12 | 16px |
| 四號 | 14 | 18px |
| 小三 | 15 | 20px |
| 三號 | 16 | 21px |
| 小二 | 18 | 24px |
| 二號 | 22 | 29px |
| 小一 | 24 | 32px |
| 一號 | 26 | 34px |
| 小初 | 36 | 48px |
| 初號 | 42 | 56px |
]]>
By Jake Edge
May 21, 2008
Two weeks ago on this page, we reported on some Wordpress vulnerabilities that were caused by incorrectly generating authentication cookies. The article was a bit light on details about such cookies, so this follow-up hopes to remedy that. In addition, Steven Murdoch, who discovered both of the holes, recently presented a paper on a new cookie technique that provides some additional safeguards over other schemes.
兩周前在此頁上,我們報道了由不正確生成的身份驗證 cookies 引起的一些 Wordpress 漏洞。那篇文檔對這些 cookies 的細節描述略少,這篇后續的文章希望能解決這個問題。另外,發現這些漏洞的 Steven Murdoch,最近發表了篇關于一種新的 cookie 技術的文章,文章提供了其他方案之`上`的一些額外保護措施。
HTTP is a stateless protocol which means that any application that wishes to track multiple requests as a single session must provide its own way to link those requests. This is typically done through cookies, which are opaque blobs of data that are stored by browsers. Cookies are sent to the browser as part of an HTTP response, usually after some kind of authentication is successful. The browser associates the cookie with the URL of the site so that it can send the cookie value back to the server on each subsequent request.
HTTP 是一種無狀態的協議,這意味著任何希望跟蹤多個請求作為單個會話的應用程序,必須提供自己的方式來鏈接這些請求。這通常通過 cookies 來完成,cookies 是瀏覽器存儲的不透明的數據塊。通常,在某種身份認證成功后,cookies 被作為一個 HTTP 響應的一部分發送給瀏覽器。瀏覽器把 cookie 和對應網站的 URL 關聯起來,以便它可以在每個后續請求中回送 cookie 值到服務器。
Servers can then use the value as a key into some kind of persistent storage so that all requests that contain that cookie value are treated as belonging to a particular session. In particular, it represents that the user associated with that session has correctly authenticated. The cookie lasts until it expires or is deleted by the user. When that happens, the user must re-authenticate to get a new cookie which also starts a new session. Users find this annoying if it happens too frequently, so expirations are often quite long.
然后,服務器可以`用某種持久性存儲的鍵`使用該值,使得所有包含該 cookie 值的請求,被視為屬于同一個特定會話。特別是,它代表和該會話關聯的那個已經正確通過身份驗證的用戶。一個 cookie 一直存在,直到過期或被用戶刪除。此時,用戶必須重新進行身份驗證,獲取一個新 cookie,同時開始一個新會話。如果它發生的過于頻繁,會讓用戶感到惱人,所以到期時間通常相當長。
If the user explicitly logs out of the application, any server-side resources that are being used to store state information can be freed, but that is often not the case. Users will generally just close their browser (or tab) while still being logged in. It is also convenient for users to be allowed multiple concurrent sessions, generally from multiple computers, which will cause the number of sessions stored to be larger, perhaps much larger, than the number of users.
如果用戶顯式地登出應用程序,任何用來存儲狀態信息的服務器端資源會被釋放,但情況經常不是這樣。用戶通常只是關閉他們的瀏覽器(或標簽頁),當仍在登錄狀態時。這也允許用戶方便地,從不同的計算機上使用多個并發會話。這將導致存儲更大的會話數量,也許比用戶數量大許多。
Applications could restrict the number of sessions allowed by a user, or ratchet the expiration value way down, but they typically do not for user convenience. This allows for a potential denial of service when an attacker creates so many sessions that the server runs out of persistent storage. For this reason, stateless session cookies [PDF][http://prisms.cs.umass.edu/~kevinfu/papers/webauth_tr.pdf] were created.
應用程序可以限制允許一個用戶使用的會話數,或者``,但它們通常不方便用戶使用。這允許一個潛在的拒絕服務,當一個攻擊者創建太多會話,以至于服務器用完持久性存儲時。出于這個原因,無狀態會話 cookies 被創建。
Stateless session cookies store all of the state information in the cookie itself, so that the server need not keep anything in the database, filesystem, or memory. The data in the cookie must be encoded in such a way that they cannot be forged, otherwise attackers could create cookies that allow them access they should not have. This is essentially where Wordpress went wrong. By not implementing stateless session cookies correctly, a valid cookie for one user could be modified into a valid cookie for a different user.
無狀態會話 cookies 把所有狀態信息存儲到 cookie 本身,使服務器不需要在數據庫、文件系統或內存中保存任何信息。Cookie 中的數據必須以不能被偽造的方式編碼,否則攻擊者可以創建允許他們訪問不應該訪問內容的 cookies 。實際上這就是 Wordpress 出問題的地方。由于沒有正確使用無狀態會話 cookies ,一個用戶的有效 cookie 可以被修改成另一個不同用戶的有效 cookie 。
A stateless session cookie has the state data and expiration "in the clear" followed by a secure hash (SHA-256 for example) of those same values along with a key known only by the server. When the server receives the cookie value, it can calculate the hash and if it matches, proceed to use the state information. Because the secret is not known, an attacker cannot create their own cookies with values of their choosing.
一個無狀態的會話 cookie 有狀態數據和明確的到期時間,后跟一個安全哈希值(例如 SHA-256),該哈希值和只有服務器知道的一個鍵`對應`。當服務器接收到 cookie 值,會計算哈希值,如果匹配,繼續使用其中的狀態信息。由于這個密鑰是未知的,攻擊者不能使用他們選擇的值創建自己的 cookies 。
The other side of that coin is that an attacker can create spoofed cookies if they know the secret. Murdoch wanted to extend the concept such that even getting access to the secret, through a SQL injection or other web application flaw, would not feasibly allow an attacker to create a spoofed cookie. The result is hardened stateless session cookies [PDF][http://www.cl.cam.ac.uk/~sjm217/papers/protocols08cookies.pdf].
硬幣的另一面是,如果攻擊者知道密鑰,可以創建欺騙性的 cookies 。Murdoch 希望擴展概念,使得通過 SQL 注入或其它 web 應用漏洞訪問密鑰后,攻擊者也無法創建一個欺騙性的 cookie。結果就是強化的無狀態會話 cookies 。
The basic idea behind the scheme is to add an additional field to stateless session cookies that corresponds to an authenticator generated when an account is first set up. This authenticator is generated from the password at account creation by iteratively calculating the cryptographic hash of the password and a long salt value.
該方案背后的基本思路是,給無狀態會話 cookie 增加一個額外的字段,這個字段和賬戶首次設置時生成的一個`身份驗證器`對應。身份驗證器由創建賬戶時的密碼生成,生成方法是,迭代計算密碼的加密哈希和一個長 salt 值。
Salt is a random string—usually just a few characters long—that is added to a password before it gets hashed, then stored with the password in the clear. It is used to eliminate the use of rainbow tables to crack passwords. Hardened stateless session cookies use a 128-bit salt value, then repeatedly calculate HASH(prev|salt), where prev is the password the first time through and the hash value from the previous calculation on each subsequent iteration.
Salt 是一個隨機字符串——通常只有幾個字符長——它在被計算哈希值前添加到密碼中,然后以明文形式和密碼一起存儲。它是用來杜絕使用彩虹表破解密碼的。`硬化`的無狀態會話 cookies 使用128位 salt 值,然后迭代計算 HASH(prev|salt) , 其中 prev 在第一次迭代時是密碼,在以后每次迭代中是上次計算的 hash 值。
The number of iterations is large, 256 for example, but not a secret. Once that value is calculated, it is hashed one last time, without the salt, and then stored in the user table as the authenticator. When the cookie value is created after a successful authentication, only the output of the iterative hash itself is placed in the cookie, not the authenticator that is stored in the database. Cookie verification then must do the standard stateless session cookie hash verification, to ensure that the values have not been manipulated, then hash the value in the cookie to verify against authenticator in the database.
迭代次數是個大的值,例如256,但這不是保密的。值被計算出來后,再不使用 salt 哈希一次,然后作為身份驗證器存儲到用戶表中。當 cookie 通過一次成功認證被創建后,只有輸出的迭代哈希值被保存在 cookie 中,而不保存數據庫中的身份驗證器。Cookie 驗證必須進行標準的無狀態會話 cookie 哈希驗證,來確保值沒有被修改過,然后哈希 cookie 中的值和數據庫中的身份驗證器對比。
If it sounds complicated, it is; the performance of doing 256 hashes is also an issue, but it does protect against the secret key being lost. Because an attacker cannot calculate a valid authenticator value to put in the cookie (doing so would require breaking SHA-256), they cannot create their own spoofed cookies.
如果這聽起來很復雜,確實;進行256次哈希的性能也是一個問題,但它確實能避免密鑰丟失。因為攻擊者無法計算一個有效的用戶驗證器放進 cookie 中(這樣做需要突破 SHA-256),所以他們不能創建自己的欺騙 cookie 。
While it is not clear that the overhead of all of these hash calculations is warranted, it is an interesting extension to the stateless session cookie scheme. In his paper, Murdoch mentions some variations that could be used to further increase the security of the technique.
目前尚不清楚所有這些哈希計算的開銷是否有必要,這是一個擴展無狀態會話 cookie 的有趣方案。在他的文章中,Murdoch 提到了一些可以進一步提高該技術安全性的變化。
---
后面沒看明白。
無狀態會話 cookie 中的密鑰可能被攻擊者獲取,authenticator 為什么不能被攻擊者獲取?獲取這兩個東西的難度有區別么?
---
TODO
| hash salt
| 彩虹表
]]>
CSRF token missing or incorrect
--
1 在 templete 中, 為每個 POST form 增加一個 {% csrf_token %} tag. 如下:
<form>
{% csrf_token %}
</form>
2 在 view 中, 使用 django.template.RequestContext 而不是 Context.
render_to_response, 默認使用 Context. 需要改成 RequestContext.
導入 class:
from django.template import RequestContext
給 render_to_response 增加一個參數:
def your_view(request):
...
return render_to_response('template.html',
your_data,
context_instance=RequestContext(request)
)
]]>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<style>
body {
color: white;
background-color: black;
}
p {
color: yellow;
font-family: "arial", sans-serif;
font-size: 1.2em;
}
.special {
font-style: italic;
}
h2.special {
text-transform: uppercase;
}
#purchases {
border: 1px solid white;
background-color: #333;
color: #ccc;
padding: 1em;
}
#purchases li {
font-weight: bold;
}
</style>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>Shopping list</title>
</head>
<body>
<h1>What to buy</h1>
<p title="a gentle reminder">Don't forget to buy this stuff.</p>
<ul id="purchases">
<li>A tin of beans</li>
<li>Cheese</li>
<li>Milk</li>
</ul>
<p class="special">This paragraph has the special class</p>
<h2 class="special">So does this headline</h2>
<script>
var println = function(arg) {
if (arg)
document.write(arg);
document.write("<br />");
}
println("getElementById():");
println("id purchases: " + document.getElementById("purchases"));
println("innerText: " + document.getElementById("purchases").innerText);
println();
println("getElementsByTagName():")
li_items = document.getElementsByTagName("li");
println("tag li: " + li_items);
println("length: " + li_items.length);
for (var i = 0; i < li_items.length; i++) {
println(i + ": " + document.getElementsByTagName("li")[i].innerText);
}
println();
println("with \"*\" :");
println("all tags: " + document.getElementsByTagName("*").length);
println();
println("combine ById and ByTagName - get tags in a id: ")
var shopping = document.getElementById("purchases");
var items = shopping.getElementsByTagName("*");
println("tag \"*\" in id \"purchases\": " + items.length);
println();
println("object.getAttribute(attribute) - get title attribute of the objects which tags are p");
var tags_p = document.getElementsByTagName("p");
for (var i = 0; i < tags_p.length; i++) {
println(tags_p[i].getAttribute("title"));
}
println();
println("object.setAttribute(attribute, value) - set title attribute of the object which id is purchases");
var shopping = document.getElementById("purchases");
shopping.setAttribute("title", "a list of goods");
println(shopping.getAttribute("title"));
</script>
</body>
</html>
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<style>
body {
color: white;
background-color: black;
}
p {
color: yellow;
font-family: "arial", sans-serif;
font-size: 1.2em;
}
.special {
font-style: italic;
}
h2.special {
text-transform: uppercase;
}
#purchases {
border: 1px solid white;
background-color: #333;
color: #ccc;
padding: 1em;
}
#purchases li {
font-weight: bold;
}
</style>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>Shopping list</title>
</head>
<body>
<h1>What to buy</h1>
<p title="a gentle reminder">Don't forget to buy this stuff.</p>
<ul id="purchases">
<li>A tin of beans</li>
<li>Cheese</li>
<li>Milk</li>
</ul>
<p class="special">This paragraph has the special class</p>
<h2 class="special">So does this headline</h2>
<script>
var println = function(arg) {
if (arg)
document.write(arg);
document.write("<br />");
}
println("getElementById():");
println("id purchases: " + document.getElementById("purchases"));
println("innerText: " + document.getElementById("purchases").innerText);
println();
println("getElementsByTagName():")
li_items = document.getElementsByTagName("li");
println("tag li: " + li_items);
println("length: " + li_items.length);
for (var i = 0; i < li_items.length; i++) {
println(i + ": " + document.getElementsByTagName("li")[i].innerText);
}
println();
println("with \"*\" :");
println("all tags: " + document.getElementsByTagName("*").length);
println();
println("combine ById and ByTagName - get tags in a id: ")
var shopping = document.getElementById("purchases");
var items = shopping.getElementsByTagName("*");
println("tag \"*\" in id \"purchases\": " + items.length);
println();
println("object.getAttribute(attribute) - get title attribute of the objects which tags are p");
var tags_p = document.getElementsByTagName("p");
for (var i = 0; i < tags_p.length; i++) {
println(tags_p[i].getAttribute("title"));
}
println();
println("object.setAttribute(attribute, value) - set title attribute of the object which id is purchases");
var shopping = document.getElementById("purchases");
shopping.setAttribute("title", "a list of goods");
println(shopping.getAttribute("title"));
</script>
</body>
</html>
]]>
HTML xmlns 屬性
xmlns 屬性可以在文檔中定義一個或多個可供選擇的命名空間. 該屬性可以放置在文檔內任何元素的開始標簽中. 該屬性的值類似于 URL, 它定義了一個命名空間, 瀏覽器會將此命名空間用于該屬性所在元素內的所有內容.
例如, 如果需要使用符合 XML 規范的 XHTML 文檔, 則應該在文檔中的 <html> 標簽中至少使用一個 xmlns 屬性, 以指定整個文檔所使用的主要命名空間.
<html xmlns="http://www.w3.org/1999/xhtml">
--
http://www.w3school.com.cn/tags/tag_prop_xmlns.asp
--
TODO XML
~
]]>
HTML <!DOCTYPE> Declaration
--
Definition and Usage
The doctype declaration should be the very first thing in an HTML document, before the <html> tag.
The doctype declaration is not an HTML tag; it is an instruction to the web browser about what version of the markup language the page is written in.
The doctype declaration refers to a Document Type Defination(DTD). The DTD specifies the rules for the markup language, so that the browsers render the content correctly.
--
Doctype Avalable in the W3C Recommendations
XHTML 1.1
This DTD is equal to XHTML 1.0 Strict, but allows you to add modules (for examp.e to provide ruby support for East-Asian languages).
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
--
http://www.w3schools.com/tags/tag_doctype.asp
]]>
# yum install phpmyadmin
Config:
# vim /usr/share/phpMyAdmin/config.inc.php
$cfg['blowfish_secret'] = 'colorfulgreen'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Run:
# /etc/init.d/mysqld start
# service httpd start
]]>
--
JavaScript 的 new, 好久不見啊
原文: JavaScript, We Hardly new Ya --Douglas Crockford。
JavaScript是一門基于原型的語言,但它卻擁有一個 new 操作符使得其看起來象一門經典的面對對象語言。那樣也迷惑了程序員們,導致一些有問題的編程模式。
其實你永遠不需要在JavaScript使用 new Object()。用字面量的形式{}去取代吧。
同理,不要使用 new Array() ,而代之以字面量[]。JavaScript中的數組并不象Java中的數組那樣工作的,使用類似Java的語法只會讓你糊涂。
同理不用使用 new Number, new String, 或者 new Boolean。這些的用法只會產生無用的類型封裝對象。就直接使用簡單的字面量吧。
不要使用 new Function 去創建函數對象。用函數表達式更好。比如:
frames[0].onfocus = new Function(“document.bgColor=’antiquewhite’”)
更好的寫法是:
frames[0].onfocus = function () {document.bgColor = ‘antiquewhite’;};
第二種形式讓腳本編譯器更快的看到函數主體,于是其中的語法錯誤也會更快被檢測出來。有時候程序員使用 new Function 是因為他們沒有理解內部函數是如何工作的。
selObj.onchange = new Function(“dynamicOptionListObjects["+
dol.index+"].change(this)”);
如果我們讓用字符串做函數體,編譯器不能看到它們。如果我們用字符串表達式做函數體,我們同樣也看不到它們。更好的方式就是不要盲目編程。通過制造一個返回值為函數的函數調用,我們可以明確的按值傳遞我們想要綁定的值。這允許我們在循環中初始化一系列 selObj 對象。
selObj.onchange = function (i) {
return function () {
dynamicOptionListObjects[i].change(this);
};
}(dol.index);
直接對一個函數使用new永遠不是一個好主意。比如, new function 對構造新對象沒有提供什么優勢。
myObj = new function () {
this.type = ‘core’;
};
更好的方式是使用對象字面量,它更輕巧,更快捷。
myObj = {
type: ‘core’
};
假如我們需要創建的對象包含的方法需要訪問私有變量或者函數,更好的方式仍然是避免使用new.var foo = new function() {
function processMessages(message) {
alert(“Message: ” + message.content);
}
this.init = function() {
subscribe(“/mytopic”, this, processMessages);
}
}
通過使用 new 去調用函數,對象會持有一個無意義的原型對象。這只會浪費內存而不會帶來任何好處。如果我們不使用new,我們就不用在對象鏈維護一個無用的prototype對象。所以我們可以用()來正確的調用工廠函數。var foo = function () {
function processMessages(message) {
alert(“Message: ” + message.content);
}
return {
init: function () {
subscribe(“/mytopic”, this, processMessages);
}
};
}();
所以原則很簡單: 唯一應該要用到new操作符的地方就是調用一個古老的構造器函數的時候。當調用一個構造器函數的時候,是強制要求使用new的。有時候可以來new一下, 有的時候還是不要了吧。
]]>
]]>