tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Trump: I'd beat Clinton to White House (10 Feb 2016)

 

New Hampshire winners and losers (10 Feb 2016)

 

Turkey denounces US support for Kurds (10 Feb 2016)

 

Parents urged to boycott VTech toys (10 Feb 2016)

 

N Korea executes army chief - reports (10 Feb 2016)

 

French MPs back constitutional changes (10 Feb 2016)

 

German train focus 'on human error' (10 Feb 2016)

 

Israeli PM's wife 'mistreated staff' (10 Feb 2016)

 

Nestle ends IAAF sponsorship deal (10 Feb 2016)

 

'Disquiet' over Mandela heir conversion (10 Feb 2016)

more »

 

Slashdot News for nerds, stuff that matters

 

Carly Is Out (2016-02-10T20:58:00+00:00)

 

Trane Takes 2 Years To Remove Hard-Coded Root Passwords From IoT Thermostat (2016-02-10T20:41:00+00:00)

 

Women Get Pull Requests Accepted More (Except When You Know They're Women) (2016-02-10T20:01:00+00:00)

 

Twitter's Timeline Option Puts Important Tweets Up Top (2016-02-10T19:22:00+00:00)

 

DjangoCon 2016 To Be Held In Philadelphia In July (2016-02-10T18:51:00+00:00)

 

Identity Thieves Obtain 100,000 Electronic Filing PINs From IRS System (2016-02-10T18:30:00+00:00)

 

Putin's Internet Czar Wants To Ban Windows On Government PCs (2016-02-10T17:55:00+00:00)

 

Microsoft Launches Windows 10 Update History Site To Share Update Release Notes (2016-02-10T17:14:00+00:00)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Yahoo lays off 107 Sunnyvale employees, who will depart by April (10 Feb 2016)

 

Twitter unveils new timeline feature ahead of earnings report (10 Feb 2016)

 

Business News Roundup, Feb. 10 (10 Feb 2016)

 

How the drought boosts your utility bills, and global warming (10 Feb 2016)

 

Zenefits CEO resigns amid compliance problems (10 Feb 2016)

 

Feds investigate alleged breach of FBI, Homeland Security data (10 Feb 2016)

more »

 

Asia Times Online

more »

 


Site feed Updated: 2016-Feb-10 13:00