tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

US urges calm as Kirkuk crisis escalates (17 Oct 2017)

 

Catalonia: Spain detains two separatists (17 Oct 2017)

 

Trump denigrates Obama over false fallen soldier claim (16 Oct 2017)

 

Portugal fires: Three days of national mourning for wildfire victims (17 Oct 2017)

 

Malta blogger Daphne Caruana Galizia dies in car bomb attack (16 Oct 2017)

 

China congress: Why Beijing has banned hot air balloons (16 Oct 2017)

 

Philippine conflict: Duterte says Marawi is militant-free (17 Oct 2017)

 

Trump drug czar nominee accused of hindering opioid crackdown (16 Oct 2017)

 

Afghanistan Taliban 'suicide attack' on police centre (17 Oct 2017)

 

St Helena's new airport boosts tourism hopes (17 Oct 2017)

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

California man cited for flying drone over airport, impeding firefighters (16 Oct 2017)

 

Court to rule on forcing tech firms to provide data held abroad (16 Oct 2017)

 

Fed’s Yellen says the economy remains in good health (16 Oct 2017)

 

After the smoke clears: Wine Country economy expected to rebound (15 Oct 2017)

 

Updated: Where fire victims can apply for tax relief and FEMA grants and loans (14 Oct 2017)

 

Twitter CEO Jack Dorsey promises tougher stance on abusive tweets (14 Oct 2017)

more »

 


Site feed Updated: 2017-Oct-17 03:00