1. 技术文章
  2. How to encode response to JSON in filter without failing XSS

How to encode response to JSON in filter without failing XSS

邮差的信 提交于 2019-12-13 03:36:00

问题


BELOW IS THE static code analysis report from SpotBugs

XSS_SERVLET: Potential XSS in Servlet A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)

Vulnerable Code:

protected void doGet(HttpServletRequest req, HttpServletResponse resp) 
throws ServletException, IOException {
String input1 = req.getParameter("input1");
[...]
resp.getWriter().write(input1);
}

Solution:

protected void doGet(HttpServletRequest req, HttpServletResponse resp)     throws ServletException, IOException {
    String input1 = req.getParameter("input1");
    [...]
    resp.getWriter().write(Encode.forHtml(input1))

Encode.forJava for JavaScript is writing special chars and JSON string is compromised.

How to use Encoder to send JSON string. without failing security CHECK


回答1:


Perhaps you could have a look at OWASP JSON sanitizer https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Main ?



来源:https://stackoverflow.com/questions/52402857/how-to-encode-response-to-json-in-filter-without-failing-xss

标签
Spring
spring-mvc
security
owasp
spotbugs
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!