tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Amazon fires: 'Our house is burning', Macron warns ahead of G7 (23 Aug 2019)

 

Russian nuclear accident: Medics fear 'radioactive patients' (22 Aug 2019)

 

Indonesia cuts off internet to Papua following protests (22 Aug 2019)

 

Poland lightning strike kills four, injures 100, in Tatra mountains storm (22 Aug 2019)

 

Backstop indispensable, Johnson told (22 Aug 2019)

 

Execution set for US killer who preyed on gay men (22 Aug 2019)

 

South Korea and Japan's feud explained (22 Aug 2019)

 

Qandeel Baloch: Parents fail to free brothers accused of killing sister (22 Aug 2019)

 

Huawei's Meng Wanzhou not a bargaining chip, says Pompeo (22 Aug 2019)

 

Chemnitz trial: Syrian jailed over stabbing that sparked German far-right riots (22 Aug 2019)

more »

 

SF Gate

 

Ship traffic (22 Aug 2019)

 

Spider-Man fights evil on his own after Sony-Disney split (21 Aug 2019)

 

Walmart sues Tesla over fires from solar panels atop stores (21 Aug 2019)

 

Reining in Big Tech with more regulation (21 Aug 2019)

 

Ship traffic, August 22 (21 Aug 2019)

 

Companies starting to worry about effects of tariffs on consumers (20 Aug 2019)

more »


Site feed Updated: 2019-Aug-22 18:00