tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

US-Iran crisis: Trump lashes out at 'ignorant and insulting' statement (25 Jun 2019)

 

San Francisco becomes first US city to ban e-cigarettes (25 Jun 2019)

 

Jeremy Hunt: Next UK PM must be trustworthy (25 Jun 2019)

 

Stephanie Grisham: Melania Trump's top aide picked as press secretary (25 Jun 2019)

 

In pictures: Europe's June 2019 heatwave (25 Jun 2019)

 

Fertility doctor loses licence after using his own sperm (25 Jun 2019)

 

'World's best restaurant' is France's Mirazur (25 Jun 2019)

 

'Climate apartheid' between rich and poor looms, UN expert warns (25 Jun 2019)

 

New York helicopter crash: Pilot 'did not know where he was' (25 Jun 2019)

 

Rhino release: Epic journey to freedom in Rwanda (25 Jun 2019)

more »

 

SF Gate

 

Ship traffic, June 26 (25 Jun 2019)

 

A look back at Microsoft for lessons on antitrust (24 Jun 2019)

 

A message from the billionaires club: Tax us (24 Jun 2019)

 

Justices side with business, government in information fight (24 Jun 2019)

 

50 years later, the moon is still great for business (24 Jun 2019)

 

Supreme Court’s red-letter ruling for a 4-letter trademark (24 Jun 2019)

more »


Site feed Updated: 2019-Jun-25 15:00