tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Ebola global security threat - Obama (16 Sep 2014)

 

Referendum campaigns make final push (17 Sep 2014)

 

Nasa picks astronaut ship designs (16 Sep 2014)

 

Ukraine rebels to get self-rule (16 Sep 2014)

 

US 'would consider Iraq ground troops' (16 Sep 2014)

 

Rob Ford says he is 'pretty sick' (16 Sep 2014)

 

French PM Valls wins confidence vote (16 Sep 2014)

 

Chief defends Kashmir flood response (16 Sep 2014)

 

CCTV released in Thai murder hunt (16 Sep 2014)

 

'100 children died' in Malta sinking (16 Sep 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

Why Is It Taking So Long To Secure Internet Routing? (2014-09-17T00:19:00Z)

 

What To Expect With Windows 9 (2014-09-16T23:21:00Z)

 

The Case For a Federal Robotics Commission (2014-09-16T22:40:00Z)

 

Digia Spins Off Qt As Subsidiary (2014-09-16T22:22:00Z)

 

NASA's Manned Rocket Contract: .2 Billion To Boeing, .6 Billion To SpaceX (2014-09-16T21:58:00Z)

 

FBI Completes New Face Recognition System (2014-09-16T21:15:00Z)

 

Micron Releases 16nm-Process SSDs With Dynamic Flash Programming (2014-09-16T20:34:00Z)

 

Astronomers Find Star-Within-a-Star, 40 Years After First Theorized (2014-09-16T19:52:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Product Hunt goes from listserv to multimillion-dollar company (16 Sep 2014)

 

Late Chinese delivery of Apple’s new iPhones (16 Sep 2014)

 

Bloomberg briefing (16 Sep 2014)

 

Gasoline prices just keep falling (15 Sep 2014)

 

Shipping, Sept. 16 (15 Sep 2014)

 

GM expert says 19 deaths eligible for compensation (15 Sep 2014)

more »

 

Asia Times Online

 

What draws Modi to China (Tue 16 Sep 2014 11:00:00 GMT)

 

China expects Modi to deliver (Tue 16 Sep 2014 11:00:00 GMT)

 

A convenient Middle East genocide (Tue 16 Sep 2014 11:00:00 GMT)

 

FILM REVIEW From Hamas royalty to Israel's spy (Tue 16 Sep 2014 11:00:00 GMT)

 

Rattled by Russia, Tashkent looks east (Tue 16 Sep 2014 11:00:00 GMT)

 

China bids to cut coal output, halt price fall (Tue 16 Sep 2014 11:00:00 GMT)

 

THE BEAR'S LAIR Viennese peace twirl (Tue 16 Sep 2014 11:00:00 GMT)

more »

 


Site feed Updated: 2014-Sep-16 19:00