Hi Michael,
Michael Cohen wrote:How can HTML5 be leveraged with encryption?
What do you want to encrypt?
The problem with any encryption in the browser is:
- If you store the key on the client (which is necessary for offline use), it can be read via XSS and by any malware on the client
- If you store the key on the server, XSS-Code can still read the decrypted data during it's usage
Michael Cohen wrote:Also where's the safest place to store data? Local storage?
If it's in any way sensitive: On the server.
All other date: The securest place is the session storage, for persitant storage I would prefer the local storage. Not for security reasons, but because all browsers have them. WebSQL and IndexedDB are only partly implemented. From a security point of view there is no really big difference between local storage, WebSQL and IndexedDB.
Michael Cohen wrote:Is there a way to prevent script injection?
Don't have XSS vulnerabilities. :-)
Check all data a user can tamper with for script code, best with a whitelist, or encode the data before you display it.
But if you search for an easy way: There is none, as long as you work with any data the user can tamper with.
Kind regards
Carsten