tungwaiyip.info

home

about me

links

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

France church attack: Killers 'pledged allegiance to IS' in video (27 Jul 2016)

 

Jupiter's Great Red Spot 'roars with heat' (27 Jul 2016)

 

Rio 2016: Russia team depleted by drugs ban gathers at airport (28 Jul 2016)

 

UK nuclear plant set to get final approval (27 Jul 2016)

 

Human nose study yields new antibiotics (27 Jul 2016)

 

Hour's activity 'offsets sedentary day' (27 Jul 2016)

 

Animals go hungry in Venezuela zoos due to shortages (28 Jul 2016)

 

US election: Trump 'encourages Russia to hack Clinton emails' (27 Jul 2016)

 

Florida investigates four mysterious Zika infections (27 Jul 2016)

 

UN condemns 'barbaric' Boko Haram violence in Nigeria (27 Jul 2016)

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Behind the green apron: Starbucks dress code gets some flair (27 Jul 2016)

 

Fed suggests interest rates still likely to rise this year (27 Jul 2016)

 

Citrix merging GoTo unit with LogMeIn in .8 billion deal (27 Jul 2016)

 

These are the West Coast's richest people from Forbes' list (27 Jul 2016)

 

Tesla slams the accelerator on Gigafactory (27 Jul 2016)

 

LeEco buys TV maker Vizio (26 Jul 2016)

more »

 


Site feed Updated: 2016-Jul-27 21:00