about me



< May 2012 >
   1 2 3 4 5
6 7 8 9101112

past articles »

Click for San Francisco, California Forecast

San Francisco, USA


&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.


A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or

2012.05.01 [] - comments



blog comments powered by Disqus

past articles »


BBC News


March For Our Lives: Huge gun-control rallies sweep US (24 Mar 2018)


Arnaud Beltrame: France lauds policeman who swapped with hostage (24 Mar 2018)


Australian ball tampering shocks cricket (24 Mar 2018)


Gun marchers: 'Our message to the world is...' (24 Mar 2018)


Spain Catalonia: Ex-leader Puigdemont 'avoids Finnish arrest' (24 Mar 2018)


Massive incomplete TV tower in Russia demolished (24 Mar 2018)


Waterslide death: Former park boss charged after boy killed (24 Mar 2018)


Most wanted Roy Lawrence Piechocki arrested in Bulgaria (24 Mar 2018)


Trump signs new transgender military ban (24 Mar 2018)


Iran angered by US imposition of cyber sanctions (24 Mar 2018)

more »


SF Gate


Bay Area News (7 Jan 2012)


City Insider (11 Feb 2012)


Crime Scene (13 Feb 2012)


C.W Newius Column (10 Jan 2012)


C.W. Nevius Blog (11 Feb 2012)


Education News (10 Jan 2012)


KALW (11 Feb 2012)


Matier and Ross Blog (11 Feb 2012)


ICYMI: William Shatner, who did NOT die; ‘Black Panther’ has Twitter record (24 Mar 2018)


Speakers might be the next thing in your car to go the way of the 8-track (24 Mar 2018)


Best computers and laptops for creatives (24 Mar 2018)


Instagram is changing its algorithm. Here’s how (24 Mar 2018)


Uber’s self-driving cars were struggling before Arizona crash (24 Mar 2018)


Apple will return to its roots with education tools and new iPad (24 Mar 2018)

more »


Site feed Updated: 2018-Mar-24 15:00