about me



Yucatán Photos

St Lucia Photos

Photo Album



< May 2012 >
   1 2 3 4 5
6 7 8 9101112

past articles »

Click for San Francisco, California Forecast

San Francisco, USA


&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.


A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or

2012.05.01 [] - comments



blog comments powered by Disqus

past articles »


BBC News


Italy holds day of mourning for quake dead (27 Aug 2016)


Bangladesh 'cafe attack planner killed' in police raid (27 Aug 2016)


Donald Trump doctor admits writing health note in five minutes (27 Aug 2016)


France burkini ban: Mayors urged to heed court's ruling (27 Aug 2016)


Micronesia: Couple rescued from desert island after SOS spotted in sand (27 Aug 2016)


'British' boy in Islamic State group execution video (27 Aug 2016)


North Carolina transgender students win toilet access ruling (27 Aug 2016)


Syrian war: US and Russia 'achieve clarity on path forward' (27 Aug 2016)


China joins UN in condemning North Korea ballistic missile tests (27 Aug 2016)


World's largest marine reserve created off Hawaii (27 Aug 2016)

more »


SF Gate


Bay Area News (7 Jan 2012)


City Insider (11 Feb 2012)


Crime Scene (13 Feb 2012)


C.W Newius Column (10 Jan 2012)


C.W. Nevius Blog (11 Feb 2012)


Education News (10 Jan 2012)


KALW (11 Feb 2012)


Matier and Ross Blog (11 Feb 2012)


Corporations turn to their own green energy sources (26 Aug 2016)


Yellen says interest rate hike on the table, not a sure thing (26 Aug 2016)


J.C. Penney could be last department store standing at malls (26 Aug 2016)


Changing Durant’s name; KFC’s ‘secret’ recipe; Detroit flights (26 Aug 2016)


Lego opens first S.F. store (26 Aug 2016)


Federal attention on Leslie Jones hack; Obama and Yosemite in VR (25 Aug 2016)

more »


Site feed Updated: 2016-Aug-27 06:00