HTML-encode the JSON response based on the content type #7385
Conversation
| @Override | ||
| public void writeProperty(String name, Object value) throws IOException | ||
| { | ||
| super.writeProperty(sendHtmlJsonResponse ? PageFlowUtil.filter(name) : name, value); |
There was a problem hiding this comment.
Maybe a comment here to the effect that super.writeProperty() calls writeObject() which encodes
| } | ||
| else | ||
| { | ||
| super.writeObject(value); |
There was a problem hiding this comment.
So all non-String values are safe to render without encoding?
There was a problem hiding this comment.
In practice, yes. But there are other possible values that could end up rendering as strings. I was able to change the override approach to catch more of those theoretical pathways. I didn't see a way to intercept this line though:
else if (isSerializeViaJacksonAnnotations() || value instanceof SimpleResponse<?>)
There was a problem hiding this comment.
If everything is supposed to be encoded, could this be tackled from the stream side?
There was a problem hiding this comment.
If everything is supposed to be encoded, could this be tackled from the stream side?
3 participants
Rationale
A certain combination of HTTP headers can cause mixup in terms of
Content-Typeand encoding. I don't think this will happen in real-world scenarios, but can be hit by security scanners.The reported scenario is doing a POST to
query-importwithout theX-Requested-With=XMLHttpRequestHTTP request header. The actual form submission sends that header, so the server responds withapplication/json. Without the header, the server returns JSON with astext/htmlbut fails to HTML encode.Changes
Tasks 📍