tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Burkina Faso leader 'to stay on' (31 Oct 2014)

 

Russia-Ukraine deals secures EU gas (31 Oct 2014)

 

Charity warns US on Ebola quarantine (31 Oct 2014)

 

Key Jerusalem holy site 'to reopen' (31 Oct 2014)

 

Myanmar in rare multi-party talks (31 Oct 2014)

 

US police killing suspect captured (31 Oct 2014)

 

Drones buzz French nuclear plants (30 Oct 2014)

 

Mass graves found in western Iraq (30 Oct 2014)

 

Four dead in Kansas airport crash (30 Oct 2014)

 

Australia ends sanctions on Fiji (31 Oct 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

Researchers Claim Metal "Patch" Found On Pacific Island Is From Amelia Earhart (2014-10-31T00:59:00Z)

 

New Study Shows Three Abrupt Pulses of CO2 During Last Deglaciation (2014-10-31T00:01:00Z)

 

Google To Disable Fallback To SSL 3.0 In Chrome 39 and Remove In Chrome 40 (2014-10-30T23:16:00Z)

 

Charity Promotes Covert Surveillance App For Suicide Prevention (2014-10-30T22:32:00Z)

 

Vulnerabilities Found (and Sought) In More Command-Line Tools (2014-10-30T21:47:00Z)

 

Getting 'Showdown' To 90 FPS In UE4 On Oculus Rift (2014-10-30T21:26:00Z)

 

Signed-In Maps Mean More Location Data For Google (2014-10-30T21:05:00Z)

 

Pirate Bay Founder Gottfrid Warg Faces Danish Jail Time (2014-10-30T20:23:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

The Fed leaves the American public behind (30 Oct 2014)

 

Business news roundup, Oct. 31 (30 Oct 2014)

 

Microsoft releases fitness band that tracks health data (30 Oct 2014)

 

Movie theaters ban Google Glass (30 Oct 2014)

 

Fed keeps interest rates at record low, ends bond buying (30 Oct 2014)

 

Apple Pay competitor CurrentC gets breached (30 Oct 2014)

more »

 

Asia Times Online

 

Fighting for survival in the Sinai (Tue 28 Oct 2014 11:00:00 GMT)

 

THE ROVING EYE The loser in Brazil is neoliberalism (Tue 28 Oct 2014 11:00:00 GMT)

 

Melting glaciers add to woes at Kumtor (Tue 28 Oct 2014 11:00:00 GMT)

 

THE BEAR'S LAIR Silicon Valley is now a short (Tue 28 Oct 2014 11:00:00 GMT)

more »

 


Site feed Updated: 2014-Oct-31 00:00