tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Anti-austerity party wins Greek poll (25 Jan 2015)

 

Boko Haram assaults Nigerian city (25 Jan 2015)

 

Sixteen killed in Egypt protests (25 Jan 2015)

 

WHO vows reform after Ebola 'shocks' (25 Jan 2015)

 

Ukraine vows to 'calm' fighting (25 Jan 2015)

 

Nisman reporter flees Argentina (25 Jan 2015)

 

India and US seal nuclear deal (25 Jan 2015)

 

Failed bid to raise AirAsia fuselage (25 Jan 2015)

 

Venezuela blocks access to Lopez (25 Jan 2015)

 

Sniper film 'stoking Islamophobia' (25 Jan 2015)

more »

 

Slashdot News for nerds, stuff that matters

 

Ed Felten: California Must Lead On Cybersecurity (2015-01-25T23:49:00Z)

 

SpaceX, US Air Force Settle Spy Sat Dispute (2015-01-25T22:47:00Z)

 

DirectX 12 Lies Dormant Within Microsoft's Recent Windows 10 Update (2015-01-25T21:48:00Z)

 

A Call That Made History, 100 Years Ago Today (2015-01-25T20:49:00Z)

 

Fish Found Living Half a Mile Under Antarctic Ice (2015-01-25T19:54:00Z)

 

Ask Slashdot: Is Pascal Underrated? (2015-01-25T18:59:00Z)

 

Fark's Drew Curtis Running For Governor of Kentucky (2015-01-25T18:06:00Z)

 

Why We Still Can't Really Put Anything In the Public Domain (2015-01-25T17:12:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Winklevoss twins seek to create regulated bitcoin exchange (25 Jan 2015)

 

Great compact cameras for advanced photographers (25 Jan 2015)

 

App of the Week: Overcast (25 Jan 2015)

 

Making your movies, music ready for the future (25 Jan 2015)

 

In the days of Uber, Lyft, some still buy S.F. taxi medallions (25 Jan 2015)

 

DMV to reconsider commercial plates for Uber, Lyft drivers (24 Jan 2015)

more »

 

Asia Times Online

 

Kim's 'crime' is Putin, not Sony (Thu 22 Jan 2015 11:00:00 GMT)

 

What can Obama do for India? (Thu 22 Jan 2015 11:00:00 GMT)

 

US stands back as Mongolia falters (Thu 22 Jan 2015 11:00:00 GMT)

 

Oil price boost for Indo-Vietnam ties (Thu 22 Jan 2015 11:00:00 GMT)

more »

 


Site feed Updated: 2015-Jan-25 16:00