tungwaiyip.info

home

about me

links

my software

Media

Yucatán Photos

St Lucia Photos

Photo Album

Videos

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Australia batsman Phillip Hughes dies (27 Nov 2014)

 

Indian girls 'killed themselves' (27 Nov 2014)

 

European MPs want Google break-up (27 Nov 2014)

 

Crime author PD James dies aged 94 (27 Nov 2014)

 

Israel 'foils Jerusalem attacks' (27 Nov 2014)

 

Yemen raid missed Western hostages (27 Nov 2014)

 

Afghan attack hits UK embassy car (27 Nov 2014)

 

Spain is not corrupt, says PM Rajoy (27 Nov 2014)

 

Libya cafe bombed over graphic video (27 Nov 2014)

 

Oil prices plunge after Opec meeting (27 Nov 2014)

more »

 

Slashdot News for nerds, stuff that matters

 

Interviews: The Hampton Creek Team Answers Your Questions (2014-11-27T17:12:00Z)

 

Uber's Android App Caught Reporting Data Back Without Permission (2014-11-27T16:19:00Z)

 

Google Told To Expand Right To Be Forgotten (2014-11-27T15:23:00Z)

 

Windows 10 To Feature Native Support For MKV and FLAC (2014-11-27T14:25:00Z)

 

Wikipedia's "Complicated" Relationship With Net Neutrality (2014-11-27T13:28:00Z)

 

Australia Elaborates On a New Drift Model To Find MH370 (2014-11-27T10:23:00Z)

 

UK Announces Hybrid Work/Study Undergraduate Program To Fill Digital Gap (2014-11-27T08:08:00Z)

 

BT Blocking Private Torrent Sites? (2014-11-27T05:35:00Z)

more »

 

TechPsychic Tech Rumors and Invented News

more »

 

SF Gate

 

Bay Area News (7 Jan 2012)

 

City Insider (11 Feb 2012)

 

Crime Scene (13 Feb 2012)

 

C.W Newius Column (10 Jan 2012)

 

C.W. Nevius Blog (11 Feb 2012)

 

Education News (10 Jan 2012)

 

KALW (11 Feb 2012)

 

Matier and Ross Blog (11 Feb 2012)

 

Netflix alleges fraud by former executive (27 Nov 2014)

 

What cloud computing means to your job (27 Nov 2014)

 

Obesity costs U.S. health system billion a year (27 Nov 2014)

 

New video games that make great gifts (27 Nov 2014)

 

Bloomberg briefing, Nov. 27 (27 Nov 2014)

 

Safety agency demands wider recall of air bags (26 Nov 2014)

more »

 

Asia Times Online

 

Ground troops in Iraq, yet again? (Wed 26 Nov 2014 11:00:00 GMT)

 

SINOGRAPH World War II haunts Japan's future (Wed 26 Nov 2014 11:00:00 GMT)

 

Indonesia takes a Melanesian turn (Wed 26 Nov 2014 11:00:00 GMT)

 

Hong Kong police clear protest with teargas (Wed 26 Nov 2014 11:00:00 GMT)

 

Obama keeps pivot credible, for now (Wed 26 Nov 2014 11:00:00 GMT)

 

China reaps harvest from Russia sanctions (Wed 26 Nov 2014 11:00:00 GMT)

 

THE BEAR'S LAIR Abe on road to disaster (Wed 26 Nov 2014 11:00:00 GMT)

more »

 


Site feed Updated: 2014-Nov-27 10:00