about me


my software


Yucatán Photos

St Lucia Photos

Photo Album



< May 2012 >
   1 2 3 4 5
6 7 8 9101112

past articles »

Click for San Francisco, California Forecast

San Francisco, USA


&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.


A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or

2012.05.01 [] - comments



blog comments powered by Disqus

past articles »


BBC News


Turkey challenges Russia over IS claim (01 Dec 2015)


Prince Charles to make forest appeal (01 Dec 2015)


Japanese whaling ships depart for hunt (01 Dec 2015)


Syria vote on Wednesday, says PM (01 Dec 2015)


Argentine man to meet lost mother (01 Dec 2015)


Kabore elected Burkina Faso president (01 Dec 2015)


China's yuan gains IMF reserve status (30 Nov 2015)


Venezuela arrests three suspects (01 Dec 2015)


Turkey rounds up hundreds of migrants (30 Nov 2015)


Chicago on edge after another arrest (30 Nov 2015)

more »


Slashdot News for nerds, stuff that matters


HTTP/2.0 Opens Every New Connection It Makes With the Word 'PRISM' (2015-12-01T01:25:00+00:00)


Russian Moon Landing May Take As Many As Six Launches (2015-12-01T00:41:00+00:00)


US Marshals Jump Into 'Cyber Monday' Mania (2015-11-30T23:58:00+00:00)


AT&T Will Raise Cost of Old Unlimited Data Plans By In February (2015-11-30T23:15:00+00:00)


VTech Hack Gets Worse: Chat Logs, Kids' Photos Taken In Breach (2015-11-30T22:33:00+00:00)


Researchers Create Sodium Battery In Industry Standard "18650" Format (2015-11-30T21:51:00+00:00)


Swallow the Doctor: The Present and Future of Robots Inside Us (2015-11-30T21:18:00+00:00)


Young Climate Activists Sue Obama Over Climate Change Inaction (2015-11-30T20:35:00+00:00)

more »


TechPsychic Tech Rumors and Invented News

more »


SF Gate


Bay Area News (7 Jan 2012)


City Insider (11 Feb 2012)


Crime Scene (13 Feb 2012)


C.W Newius Column (10 Jan 2012)


C.W. Nevius Blog (11 Feb 2012)


Education News (10 Jan 2012)


KALW (11 Feb 2012)


Matier and Ross Blog (11 Feb 2012)


Analysts list top 10 potential Marissa Mayer replacements (30 Nov 2015)


Daily Briefing, Dec. 1 (30 Nov 2015)


Best TVs to give (and receive) for holidays (29 Nov 2015)


Video Game of the Week: ‘Fallout 4’ (29 Nov 2015)


Vanishing executives a mystery for Hong Kong market (29 Nov 2015)


NSA halts bulk collection of telephone metadata (28 Nov 2015)

more »


Asia Times Online

more »


Site feed Updated: 2015-Nov-30 21:00