&D\anger'"+<b>@?!mb Against Code Injection

Blog

San Francisco, USA

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

In HTML/XML as text.
In HTML/XML as an attribute inside the quote.
In URL as query parameter.
In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [programming] - comments

blog comments powered by Disqus

past articles »

BBC News

•	Prague gunman killed himself on roof as police approached (22 Dec 2023)
•	Bodycam footage shows police hunting Prague gunman (22 Dec 2023)
•	Alex Batty: Police launch abduction investigation into disappearance of British teen (22 Dec 2023)
•	Banksy stop sign drones art removed in London (22 Dec 2023)
•	Martin Kemp refunds disabled ticket after fans' difficulty with seller (22 Dec 2023)
•	Queues at Dover as Christmas getaway begins for millions (22 Dec 2023)
•	New Â£38,700 visa rule will be introduced in early 2025, says Rishi Sunak (22 Dec 2023)
•	UK at risk of recession after economy shrinks (22 Dec 2023)
•	Mohamed Al Bared: Student jailed for life for building IS drone (22 Dec 2023)
•	Andrew Tate denied request to visit ill mother in UK (22 Dec 2023)

SF Gate