tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Barcelona attack: New manhunt for suspected driver (19 Aug 2017)

 

Steve Bannon vows to 'go to war' for Trump agenda after sacking (19 Aug 2017)

 

Finland killings: Stabbings in Turku a 'terror attack' (19 Aug 2017)

 

Woman raped by Roman Polanski asks for 'mercy' to end case (19 Aug 2017)

 

Lele Tao: The 'online goddess' who earns a year (18 Aug 2017)

 

Liu Xiabo's widow Liu Xia makes first appearance since funeral (19 Aug 2017)

 

Russia knife attacker wounds eight (19 Aug 2017)

 

Boston braces for rival protests week after Charlottesville (19 Aug 2017)

 

Disputed Venezuela assembly takes parliament's powers (19 Aug 2017)

 

Big Ben's Ayrton Light to be switched off (19 Aug 2017)

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Taylor Swift’s blank space; Foot Locker’s plunge; Webster’s fun (18 Aug 2017)

 

From Isaac Asimov to Aimee Mann, ‘robophobia’ plagues humans (18 Aug 2017)

 

Former Uber CEO lashes out at VC firm suing company (18 Aug 2017)

 

In China, your company’s name can’t be a mouthful (18 Aug 2017)

 

Target ends relationship with troubled food maker Hampton Creek (18 Aug 2017)

 

Best action camcorders (18 Aug 2017)

more »

 


Site feed Updated: 2017-Aug-19 03:00