tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Colin Powell: Former US secretary of state dies of Covid complications (18 Oct 2021)

 

Norway attack: Victims killed with 'sharp object', not arrows (18 Oct 2021)

 

Trudeau visits First Nation to apologise after holiday snub (18 Oct 2021)

 

Mastermind of deadly 2016 Baghdad bombing caught, Iraq says (18 Oct 2021)

 

Greta Thunberg sings Rick Astley hit at climate concert (18 Oct 2021)

 

Dennis Hutchings: Ex-soldier on trial over Troubles shooting dies (18 Oct 2021)

 

Tigray: Ethiopian government admits Mekelle airstrike (18 Oct 2021)

 

Russia to suspend Nato diplomatic mission amid tension (18 Oct 2021)

 

Ahmaud Arbery: Trial over black jogger's death begins (18 Oct 2021)

 

China denies testing nuclear-capable hypersonic missile (18 Oct 2021)

more »

 

SF Gate

 

13 Best Background Check Sites & Services: Search Criminal Records and Social Media Accounts Online (28 Jul 2021)

 

It pays to search for top-quality auto shop (6 Feb 2021)

 

Fired Boeing CEO is now working with Bay Area tractor startup (14 Dec 2020)

 

PG&E bills to rise over per year on average to fund wildfire risk reduction (5 Dec 2020)

 

Nasdaq seeks more diversity on boards of companies listed on exchange (2 Dec 2020)

 

Elizabeth Holmes Prosecutors Say Texts Show Theranos Beset With Problems (24 Nov 2020)

more »


Site feed Updated: 2021-Oct-14 07:00