tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Amazon fires: G7 leaders close to agreeing plan to help, says Macron (26 Aug 2019)

 

Ariana Grande 'overwhelmed' on return to Manchester at Pride (26 Aug 2019)

 

Asian stocks drop as US-China trade war escalates (26 Aug 2019)

 

G7 summit: Iranian foreign minister attends unexpected talks (25 Aug 2019)

 

Women hit back at 'slut-shaming' (25 Aug 2019)

 

Mallorca aircraft collide in mid-air, killing at least seven (25 Aug 2019)

 

Hong Kong police fire gun and use water cannon on protesters (26 Aug 2019)

 

Floods kill more than 60 in Sudan (25 Aug 2019)

 

Brexit: Boris Johnson says odds of striking deal 'touch and go' (25 Aug 2019)

 

Israel says it struck Iranian 'killer drone' sites in Syria (25 Aug 2019)

more »

 

SF Gate

 

Banks want efficiency. Critics warn of backsliding (25 Aug 2019)

 

Our favorite back-to-school tech picks (25 Aug 2019)

 

Branded podcasts a surprise hit with consumers (25 Aug 2019)

 

Terrorists turn to bitcoin for funding, and they’re learning fast (23 Aug 2019)

 

DoorDash: Workers will get paid more, keep tips (23 Aug 2019)

 

Trump says he will raise existing tariffs on Chinese goods to 30% (23 Aug 2019)

more »


Site feed Updated: 2019-Aug-25 21:00