tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Russia 'to alter military doctrine' (02 Sep 2014)

 

IS accused of Iraq ethnic cleansing (02 Sep 2014)

 

VIDEO: Iraq grannies 'take on IS in Amerli’ (01 Sep 2014)

 

FBI probes 'Cloud' celebrity leaks (02 Sep 2014)

 

Nigeria militants 'seize' major town (02 Sep 2014)

 

Boris Island airport plan 'not dead' (02 Sep 2014)

 

US 'targets al-Shabab's leader' (02 Sep 2014)

 

Uber banned across Germany by court (02 Sep 2014)

 

US works to free trio in N Korea (02 Sep 2014)

 

Pakistan MPs hold emergency session (02 Sep 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

Hackers Behind Biggest-Ever Password Theft Begin Attacks (2014-09-02T00:01:00Z)

 

Tox, a Skype Replacement Built On 'Privacy First' (2014-09-01T22:59:00Z)

 

Net Neutrality Campaign To Show What the Web Would Be Like With a "Slow Lane" (2014-09-01T22:04:00Z)

 

New Computer Model Predicts Impact of Yellowstone Volcano Eruption (2014-09-01T21:15:00Z)

 

Raspberry Pi Gets a Brand New Browser (2014-09-01T20:22:00Z)

 

Power Grids: The Huge Battery Market You Never Knew Existed (2014-09-01T19:30:00Z)

 

Radioactive Wild Boars Still Roaming the Forests of Germany (2014-09-01T18:36:00Z)

 

New Nigerian ID Card Includes Prepay MasterCard Wallet (2014-09-01T17:47:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Ship traffic for Sept. 1 (31 Aug 2014)

 

Bay Area insider trades, Sept. 1 (31 Aug 2014)

 

Will Harvard Business School have a class with 50% women? (31 Aug 2014)

 

Mergers and acquisitions, Sept. 1 (31 Aug 2014)

 

Evernote expands its line of high-end office accessories (31 Aug 2014)

 

Product Hunt (31 Aug 2014)

more »

 

Asia Times Online

 

Gaza: Now the guns have been silenced (Fri 29 Aug 2014 11:00:00 GMT)

 

VIOLENCE IN KASHMIR Modi's muscle strains Indo-Pak talks (Fri 29 Aug 2014 11:00:00 GMT)

 

India opens door to superbugs (Fri 29 Aug 2014 11:00:00 GMT)

 

Russia welcomes Asia food imports (Fri 29 Aug 2014 11:00:00 GMT)

 

Keynes is dead; long live Marx (Fri 29 Aug 2014 11:00:00 GMT)

 

Reloading the debt dice (Fri 29 Aug 2014 11:00:00 GMT)

more »

 


Site feed Updated: 2014-Sep-02 03:00