tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Iran must halt nuclear work - Obama (03 Mar 2015)

 

'Monitoring deal' on Ukraine truce (03 Mar 2015)

 

Coffee linked to 'cleaner' arteries (03 Mar 2015)

 

Canadian 'missing in North Korea' (03 Mar 2015)

 

Tinder to charge over-28s more (02 Mar 2015)

 

Homeless man 'reached for LAPD gun' (02 Mar 2015)

 

US told to cut 80 Caracas diplomats (03 Mar 2015)

 

Iraq 'seizes districts from IS' (02 Mar 2015)

 

Mother knew Emwazi's voice on video (02 Mar 2015)

 

Pakistan anti-vaccine parents held (02 Mar 2015)

more »

 

Slashdot News for nerds, stuff that matters

 

Police Could Charge Data Center Operators In the Largest Child Porn Bust Ever (2015-03-03T01:11:00Z)

 

Ask Slashdot: Which Classic OOP Compiled Language: Objective-C Or C++? (2015-03-03T00:28:00Z)

 

New Seagate Shingled Hard Drive Teardown (2015-03-02T23:46:00Z)

 

Marissa Mayer On Turning Around Yahoo (2015-03-02T23:03:00Z)

 

Google Prepares To Enter Wireless Market As an MVNO (2015-03-02T22:20:00Z)

 

Photo First: Light Captured As Both Particle and Wave (2015-03-02T21:36:00Z)

 

Blackphone 2 Caters To the Enterprise, the Security-Minded and the Paranoid (2015-03-02T20:52:00Z)

 

NASA's Spitzer Team Releases Highest-resolution View of the Full Galactic Plane (2015-03-02T20:30:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Seven Americans in top 10 of Forbes' World's Richest list (2 Mar 2015)

 

Hackers get info on 50,000 Uber drivers (2 Mar 2015)

 

Virtual reality, e-sports headline SF Game Developers Conference (1 Mar 2015)

 

Office Space: Sprig cooks and codes in S.F. (1 Mar 2015)

 

Review: BlackBerry Classic a throwback, with limited capabilities (1 Mar 2015)

 

'Fro Patrol’ (28 Feb 2015)

more »

 

Asia Times Online

 

An unlikely marriage in Kashmir (Mon 2 Mar 2015 11:00:00 GMT)

 

HK maids' torturer gets 6 years (Mon 2 Mar 2015 11:00:00 GMT)

 

Israeli ex-generals condemn Netanyahu (Mon 2 Mar 2015 11:00:00 GMT)

 

COMMENT The Middle East and perpetual war (Mon 2 Mar 2015 11:00:00 GMT)

 

My war on terror (Mon 2 Mar 2015 11:00:00 GMT)

 

EU raises profile in Caucasus (Mon 2 Mar 2015 11:00:00 GMT)

 

Europe's upside-down myth about Greek debt (Mon 2 Mar 2015 11:00:00 GMT)

 

CREDIT BUBBLE BULLETIN Periphery fragility list (Mon 2 Mar 2015 11:00:00 GMT)

more »

 


Site feed Updated: 2015-Mar-02 21:00