tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Weather blights S Korea ferry search (17 Apr 2014)

 

Putin cautious on force in Ukraine (17 Apr 2014)

 

Pistorius forensic tests challenged (17 Apr 2014)

 

Iran has 'cut uranium stock' - IAEA (17 Apr 2014)

 

Mini-sub performs full MH370 search (17 Apr 2014)

 

India votes on biggest polling day (17 Apr 2014)

 

Tencent brings Candy Crush to China (17 Apr 2014)

 

US case against Abu Hamza to start (17 Apr 2014)

 

Fate of Nigeria kidnap girls unclear (17 Apr 2014)

 

Argentina girl kept years in garage (17 Apr 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

FBI Drone Deployment Timeline (2014-04-17T00:33:00Z)

 

GoPro Project Claims Technology Is Making People Lose Empathy For Homeless (2014-04-16T23:48:00Z)

 

Industry-Wide Smartphone "Kill Switch" Closer To Reality (2014-04-16T23:02:00Z)

 

Code Quality: Open Source vs. Proprietary (2014-04-16T22:17:00Z)

 

Ask Slashdot: What Good Print Media Is Left? (2014-04-16T21:35:00Z)

 

Steam's Most Popular Games (2014-04-16T20:54:00Z)

 

'Thermoelectrics' Could One Day Power Cars (2014-04-16T20:12:00Z)

 

Survey: 56 Percent of US Developers Expect To Become Millionaires (2014-04-16T19:30:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

AngelList's new fund could lead to big shift in venture capital (16 Apr 2014)

 

Public-private shield needed against hackers, Tom Ridge says (16 Apr 2014)

 

Protesters call on Apple to pay more taxes on overseas funds (15 Apr 2014)

 

DNA alternative to Pap smear prompts medical debate (15 Apr 2014)

 

Zebra Technologies to borrow funds to buy Motorola unit (15 Apr 2014)

 

Ship traffic for April 16 (15 Apr 2014)

more »

 

Asia Times Online

 

Asia bucks military spending decline (15 Apr 2014)

 

Breaking bad in southern NATOstan (15 Apr 2014)

 

US veterans promote 'right to heal' (15 Apr 2014)

 

New China-India era no shoo-in under Modi (15 Apr 2014)

 

Doubts cloud China's urbanization drive (15 Apr 2014)

 

CREDIT BUBBLE BULLETIN Financial stability (15 Apr 2014)

more »

 


Site feed Updated: 2014-Apr-17 06:00