about me


my software


Yucatán Photos

St Lucia Photos

Photo Album



< May 2012 >
   1 2 3 4 5
6 7 8 9101112

past articles »

Click for San Francisco, California Forecast

San Francisco, USA


&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.


A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or

2012.05.01 [] - comments



blog comments powered by Disqus

past articles »


BBC News


Greek PM: Say 'No' to 'blackmail' (03 Jul 2015)


Silence held to honour Tunisia dead (03 Jul 2015)


Iceland makes blasphemy legal (03 Jul 2015)


Shell to start Arctic oil drilling (03 Jul 2015)


Mass rebel assault on Syria's Aleppo (03 Jul 2015)


Mainland China shares dive further (03 Jul 2015)


Uber suspends UberPOP in France (03 Jul 2015)


China firm 'must approve pregnancies' (03 Jul 2015)


IS 'emir of suicide bombers killed' (03 Jul 2015)


Music streaming's up 80% on last year (03 Jul 2015)

more »


Slashdot News for nerds, stuff that matters


Common Medications Sway Moral Judgment (2015-07-03T16:33:00+00:00)


Firefox 39 Released, Bringing Security Improvements and Social Sharing (2015-07-03T15:44:00+00:00)


Samsung Faces Lawsuit In China Over Smartphone Bloatware (2015-07-03T15:04:00+00:00)


Russian Cargo Ship Successfully Makes Orbit, Will Supply ISS (2015-07-03T14:21:00+00:00)


Aussie ISP Bakes In Geo-dodging For Netflix, Hulu (2015-07-03T13:38:00+00:00)


AMAgeddon: Reddit Mods Are Locking Up the Site's Most Popular Pages In Protest (2015-07-03T12:56:00+00:00)


The Science of 4th of July Fireworks (2015-07-03T12:14:00+00:00)


Ask Slashdot: What Is the Best Way To Hold Onto Your Domain? (2015-07-03T11:33:00+00:00)

more »


TechPsychic Tech Rumors and Invented News

more »


SF Gate


Bay Area News (7 Jan 2012)


City Insider (11 Feb 2012)


Crime Scene (13 Feb 2012)


C.W Newius Column (10 Jan 2012)


C.W. Nevius Blog (11 Feb 2012)


Education News (10 Jan 2012)


KALW (11 Feb 2012)


Matier and Ross Blog (11 Feb 2012)


Las Vegas moves toward arcade-style video slots (3 Jul 2015)


No need to call the front desk, just send a text (3 Jul 2015)


5 ways airlines are making flying better (3 Jul 2015)


Tesla sets record with 2nd-quarter sales (2 Jul 2015)


Daily Briefing, July 3 (2 Jul 2015)


Business News Roundup, July 3 (2 Jul 2015)

more »


Asia Times Online


China ramps up charges against Zhou (Fri 20 Mar 2015 11:00:00 GMT)


'100 dead' in Myanmar fighting (Fri 20 Mar 2015 11:00:00 GMT)


Tunisian president vows no mercy (Fri 20 Mar 2015 11:00:00 GMT)


SPENGLER Israel's 'referendum' on 'two-state solution' (Fri 20 Mar 2015 11:00:00 GMT)


Russia, S Ossetia sign 'integration' pact (Fri 20 Mar 2015 11:00:00 GMT)


US military plunges Aquino into crisis (Fri 20 Mar 2015 11:00:00 GMT)


Rahmon celebrates Tajik democracy (Fri 20 Mar 2015 11:00:00 GMT)


THE BEAR'S LAIR Being old in 2040 no fun (Fri 20 Mar 2015 11:00:00 GMT)


China grant boosts Nepal ties (Fri 20 Mar 2015 11:00:00 GMT)

more »


Site feed Updated: 2015-Jul-03 10:00