tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Covid: US death toll passes 200,000 (22 Sep 2020)

 

Covid: US funeral directors reflect on 200,000 death toll (22 Sep 2020)

 

UN General Assembly: US-China tensions flare over coronavirus (22 Sep 2020)

 

Ginsburg Supreme Court: Republicans secure vote for replacement (22 Sep 2020)

 

UK PM calls for resolve to fight Covid over winter (22 Sep 2020)

 

Dark web drugs raid leads to 179 arrests (22 Sep 2020)

 

Climate change: China aims for 'carbon neutrality by 2060' (22 Sep 2020)

 

Pascale Ferrier: White House ricin package suspect in court (22 Sep 2020)

 

Charlie Hebdo: French magazine's head of HR 'forced out of home' (22 Sep 2020)

 

Lebanon explosion 'destroys Hezbollah arms depot' (22 Sep 2020)

more »

 

SF Gate

 

Ship traffic, September 23 (22 Sep 2020)

 

Ship traffic, September 22 (21 Sep 2020)

 

Ship traffic, September 21 (20 Sep 2020)

 

Ship traffic, September 19 (18 Sep 2020)

 

Ship traffic, September 20 (18 Sep 2020)

 

Ship traffic, September 18 (17 Sep 2020)

more »


Site feed Updated: 2020-Sep-22 15:00