tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Tunisia rivals in poll dispute (21 Dec 2014)

 

Driver attacks French pedestrians (21 Dec 2014)

 

US mulls putting NK on terror list (21 Dec 2014)

 

Kurds 'take' part of Sinjar from IS (21 Dec 2014)

 

Actress Billie Whitelaw dies aged 82 (21 Dec 2014)

 

Obama condemns killings of NY police (21 Dec 2014)

 

Pakistan carries out more executions (21 Dec 2014)

 

Oil price fall 'not Opec's fault' (21 Dec 2014)

 

FBI talks over Lockerbie bombing (21 Dec 2014)

 

Photographer Jane Bown dies aged 89 (21 Dec 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

The Magic of Pallets (2014-12-21T23:29:00Z)

 

26 Foot Long Boat 3D Printed In 100,000 Different Pieces (2014-12-21T22:16:00Z)

 

Cuba Says the Internet Now a Priority (2014-12-21T21:10:00Z)

 

Finland Announces an Anti-Laser Campaign For Air Traffic (2014-12-21T20:03:00Z)

 

Anonymous Claims They Will Release "The Interview" Themselves (2014-12-21T19:56:00Z)

 

Judge: It's OK For Cops To Create Fake Instagram Accounts (2014-12-21T18:50:00Z)

 

Bitcoin Exec To Spend Two Years Behind Bars For Silk Road Transactions (2014-12-21T17:45:00Z)

 

US Seeks China's Help Against North Korean Cyberattacks (2014-12-21T16:41:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

How to get your Kickstarter project chosen as a Staff Pick (20 Dec 2014)

 

Port of Oakland delays: 'Absolute madness’ threatens business (20 Dec 2014)

 

Making sense of all the robo-advisers (20 Dec 2014)

 

Trendsetting computers that set the bar in 2014 (20 Dec 2014)

 

Apple’s 2 moves highlight ho-hum tech year (20 Dec 2014)

 

Data security in question after Sony hack (20 Dec 2014)

more »

 

Asia Times Online

 

Netanyahu shatters Israel's image (Fri 19 Dec 2014 11:00:00 GMT)

 

Israel lends al-Nusra a hand in Syria (Fri 19 Dec 2014 11:00:00 GMT)

 

Crossroads for terror in South Asia (Fri 19 Dec 2014 11:00:00 GMT)

 

Whither Ukraine's revolution? (Fri 19 Dec 2014 11:00:00 GMT)

 

Jiangsu teachers stage protest (Fri 19 Dec 2014 11:00:00 GMT)

more »

 


Site feed Updated: 2014-Dec-21 16:00