tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Canada 'not intimidated' by attacks (23 Oct 2014)

 

Military heads admit Afghan mistakes (22 Oct 2014)

 

Mystery of giant arm dinosaur solved (23 Oct 2014)

 

Mexico orders Iguala mayor's arrest (22 Oct 2014)

 

Jerusalem car 'attack' kills baby (22 Oct 2014)

 

Obama 'optimistic' over Ebola in US (22 Oct 2014)

 

India's Modi visits Siachen glacier (23 Oct 2014)

 

Four guilty of Blackwater killings (22 Oct 2014)

 

DNA yields secrets of human pioneer (22 Oct 2014)

 

VIDEO: Military reburials for WW1 soldiers (22 Oct 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

Oldest Human Genome Reveals When Our Ancestors Mixed With Neanderthals (2014-10-23T01:03:00Z)

 

Two Exocomet Families Found Around Baby Star System (2014-10-23T00:10:00Z)

 

Will the Google Car Turn Out To Be the Apple Newton of Automobiles? (2014-10-22T23:30:00Z)

 

Michigan Latest State To Ban Direct Tesla Sales (2014-10-22T22:46:00Z)

 

BitTorrent Performance Test: Sync Is Faster Than Google Drive, OneDrive, Dropbox (2014-10-22T22:03:00Z)

 

Deutsche Telecom Upgrades T-Mobile 2G Encryption In US (2014-10-22T21:25:00Z)

 

The Classic Control Panel In Windows May Be Gone (2014-10-22T20:44:00Z)

 

Judge Says EA Battlefield 4 Execs Engaged In "Puffery," Not Fraud (2014-10-22T20:04:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

FCC pauses review of Comcast, AT&T deals over contract fight (22 Oct 2014)

 

Harassment a common part of online life, Pew study finds (22 Oct 2014)

 

Yahoo beats Wall Street’s sales estimates (21 Oct 2014)

 

Business news roundup, Oct. 22 (21 Oct 2014)

 

AbbVie scraps billion Shire deal on U.S. tax changes (21 Oct 2014)

 

Wearable health technology still just a novelty, report finds (21 Oct 2014)

more »

 

Asia Times Online

 

Rouhani's 'economic package' is empty (Tue 21 Oct 2014 11:00:00 GMT)

 

Low hopes for Hong Kong talks (Tue 21 Oct 2014 11:00:00 GMT)

 

Ebola and security opportunities lost (Tue 21 Oct 2014 11:00:00 GMT)

 

What could possibly go wrong? (Tue 21 Oct 2014 11:00:00 GMT)

 

Britain's phantoms of the past in Palestine (Tue 21 Oct 2014 11:00:00 GMT)

 

Pictures of life on North Korean tourist trail (Tue 21 Oct 2014 11:00:00 GMT)

 

China bids to curb mounting local debt (Tue 21 Oct 2014 11:00:00 GMT)

 

THE BEAR'S LAIR When socialism can 'work' (Tue 21 Oct 2014 11:00:00 GMT)

more »

 


Site feed Updated: 2014-Oct-23 00:00