tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

UK's May to face leadership challenge (12 Dec 2018)

 

Strasbourg shooting: France hunts gunman as alert level raised (12 Dec 2018)

 

Meng Wanzhou: Trump could intervene in case of Huawei executive (12 Dec 2018)

 

Trump bickers with top Democrats over border wall funding (12 Dec 2018)

 

Poland climate summit protest limits anger young activists (12 Dec 2018)

 

'Meghan Markle' most googled person in UK in 2018 (12 Dec 2018)

 

Sarah Mardini: 'I am not a people smuggler’ (12 Dec 2018)

 

Fears over sensitive US military data in commercial cloud (12 Dec 2018)

 

Michael Kovrig: Canadian ex-diplomat 'held in China' (12 Dec 2018)

 

Climate change: Arctic reindeer numbers crash by half (12 Dec 2018)

more »

 

SF Gate

 

Huawei executive’s lawyers fight for bail ahead of extradition decision (10 Dec 2018)

 

Tesla’s Elon Musk on ‘60 Minutes’: ‘I do not respect’ the SEC (10 Dec 2018)

 

Amazon’s homegrown chips threaten Intel (10 Dec 2018)

 

Chinese court says Apple infringed on Qualcomm patents (10 Dec 2018)

 

Wells Fargo tops government report on fees paid by students (10 Dec 2018)

 

Ship traffic, December 11 (10 Dec 2018)

more »


Site feed Updated: 2018-Dec-12 00:00