In a prior post, I described various values I use to test strings. However, there are some special characters which may result in unexpected behavior or security vulnerabilities when they are encountered within a string that is later displayed in the application. The specifics of how these works depends on the capabilities of the programming language – so research how strings may be formatted for output in the language used to develop your application. A recent article that describes this well is Programming Language Format String Vulnerabilities” by Hal Burch and Robert C. Seacord. printf style formatting strings are ripe for these types of errors.

Special character values:

“\\” Backslash related strings
“\a” Alert (bell) related strings
“\b” Backspace related strings
“\f” Form feed related strings
“Form Feed\fForm Feed”
“\n” Newline related strings
“\r” Carriage return related strings
“Carriage Return\rCarriage Return”
“\t” Tab related strings
“\v” Vertical tab related strings
“Vertical Tab\vVertical Tab”

Format value strings:

“Decimal: %d” Signed decimal
“Decimal: %i” Signed decimal
“Octal: %o” Unsigned octal
“Decimal: %u” Unsigned decimal
“Hex: %x” Unsigned hex
“Hex: %X” Unsigned hex
“Floating: %.5f” Floating point
“Exponential: %.5e” Exponential
“Exponential: %.5E” Exponential
“Unsigned Char: %c” Character (converted from integer value)
“String: %s” String