tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

New Zealand volcano: 'No sign of life' after White Island eruption (09 Dec 2019)

 

Russia banned from global sports for four years (09 Dec 2019)

 

Finnish minister Sanna Marin, 34, to become world's youngest PM (09 Dec 2019)

 

General election 2019: Boris Johnson's Brexit plan 'presents major challenge' (09 Dec 2019)

 

'Tonight a door was opened' says new Miss Universe (09 Dec 2019)

 

Restoring the theme park abandoned for 20 years (09 Dec 2019)

 

French far-left leader Mélenchon sentenced for intimidation (09 Dec 2019)

 

Saudi Arabia ends gender segregation in restaurants (09 Dec 2019)

 

China Uighurs: Detainees 'free' after 'graduating', official says (09 Dec 2019)

 

Ukraine: Paris talks with Russia aim to end eastern conflict (09 Dec 2019)

more »

 

SF Gate

 

Ship traffic, December 9 (8 Dec 2019)

 

UN climate talks aim to pave way for global carbon market (8 Dec 2019)

 

Conference planners seek food truck experience (actual truck optional) (8 Dec 2019)

 

Chamillionaire wants to add diversity to tech startups (7 Dec 2019)

 

How a strong job market has proved the experts wrong (7 Dec 2019)

 

Fake ‘likes’ remain just a few dollars away, researchers say (7 Dec 2019)

more »


Site feed Updated: 2019-Dec-09 07:00