tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

US ex-cardinal Theodore McCarrick defrocked over abuse claims (16 Feb 2019)

 

Nigeria election 2019: Appeal for calm after shock delay (16 Feb 2019)

 

Islamic State: 'Thousands of civilians' still trapped in Baghuz (16 Feb 2019)

 

Aurora shooting: Five killed by sacked man at Illinois firm (16 Feb 2019)

 

Bruno Ganz, who played Hitler in Downfall, dies aged 77 (16 Feb 2019)

 

Ligue du LOL: Secret boys’ club cyber-bullying shakes French media (16 Feb 2019)

 

Mexico border wall: Trump faces fight in the courts (16 Feb 2019)

 

Zimbabwe flooding: Nine rescued from Kadoma mine shaft (16 Feb 2019)

 

Short bursts of intense exercise 'better for weight loss' (16 Feb 2019)

 

UK minister's visit to China not going ahead (16 Feb 2019)

more »

 

SF Gate

 

When the windshield helps drive the car, a repair isn’t so simple (16 Feb 2019)

 

3 months’ salary for an engagement ring? For most, it’s more like two weeks (16 Feb 2019)

 

Investors face taxes for funds that fell in 2018 (16 Feb 2019)

 

Supercars even a mere millionaire can afford (16 Feb 2019)

 

British economy falters as Brexit looms. Amsterdam sees risks, opportunity (16 Feb 2019)

 

Trump’s trade war leaves American whiskey on the rocks (16 Feb 2019)

more »


Site feed Updated: 2019-Feb-16 09:00