tungwaiyip.info

home

about me

links

Blog

< May 2012 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  

past articles »

Click for San Francisco, California Forecast

San Francisco, USA

 

&D\anger'"+<b>@?!mb Against Code Injection

I have to build my web app against code injection. I find that the problem requires us to see input string used in several different context.

  • In HTML/XML as text.
  • In HTML/XML as an attribute inside the quote.
  • In URL as query parameter.
  • In JavaScript to dynamically create or edit DOM elements.

In each context, there are different rule in escaping them. Since the data can move from one context to another, they have to be properly escaped in all cases.

To help test for proper escaping, I have come up with a string that has lots of special characters below. Put it in your test database and paste it in your input fields. Observe if this causes problem anywhere. In properly escaped system, the string should be transfered and reconstructed verbatim.

  &D\anger'"+<b>@?!mb

A related issue is whether your code support unicode correctly. I find it helpful to insert a string below into the test data to test it out right from the beginning.

  \u4e09\u570b\u5fd7 or
  三國志

2012.05.01 [] - comments

 

 

blog comments powered by Disqus

past articles »

 

BBC News

 

Turkey to suspend Syria offensive, Mike Pence announces (17 Oct 2019)

 

Brexit: Johnson 'very confident' MPs will back deal (17 Oct 2019)

 

What just happened with Brexit? (17 Oct 2019)

 

National Doral Miami: Trump Florida golf course to host G7 summit (17 Oct 2019)

 

Trump and Pelosi: The 'meltdown' photo showing Washington divides (17 Oct 2019)

 

Climate protesters dragged from London train (17 Oct 2019)

 

Holocaust trial: Former Stutthof guard on trial in Germany (17 Oct 2019)

 

Russians accused of extremism cut wrists in court (17 Oct 2019)

 

US envoy Gordon Sondland 'disappointed' at Trump over Ukraine (17 Oct 2019)

 

Venezuela wins seat on UN Human Rights Council (17 Oct 2019)

more »

 

SF Gate

 

Europe’s antitrust regulator hits Broadcom (16 Oct 2019)

 

Chinese snooping tech spreads to nations vulnerable to abuse (16 Oct 2019)

 

GM and UAW reach tentative contract agreement (16 Oct 2019)

 

Ship traffic, October 17 (16 Oct 2019)

 

Ship traffic, October 16 (15 Oct 2019)

 

Yahoo might owe you money for those big data breaches. Here's how to get it. (15 Oct 2019)

more »


Site feed Updated: 2019-Oct-17 12:00