1

我正在寻找一个库来执行 JSON Santization,并遇到了 JSoup 和 OWSAP AntiSamy。看起来 AntiSamy 只做 HTML Sanitization,并且有一个单独的 JSON Sanitization 项目。JSoup 似乎也没有提到 JSON 清理。

JSoup和 OWSAP AntiSamy 是否执行 JSON 清理

4

2 回答 2

2

OWASP has a JSON sanitizer project, separate from AntiSamy, that converts JSON-like content to syntactically correct and embeddable JSON.

The output is well-formed JSON as defined by RFC 4627. The output satisfies three additional properties:

  • The output will not contain the substring (case-insensitively) "</script" so can be embedded inside an HTML script element without further encoding.
  • The output will not contain the substring "]]>" so can be embedded inside an XML CDATA section without further encoding.
  • The output is a valid Javascript expression, so can be parsed by Javascript's eval builtin (after being wrapped in parentheses) or by JSON.parse. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).
  • The output contains only valid Unicode scalar values (no isolated UTF-16 surrogates) that are allowed in XML unescaped.
于 2015-04-27T14:35:45.550 回答
0

如果您有预定义的数据结构,我建议您考虑使用 Sandhands进行卫生处理。Sandhands 确保您的数据遵循特定格式。

来自文档的片段:

基本出口

import {sanitize, valid, details} from 'sandhands'

valid(12, String) // returns false
sanitize(12, String) // throws error with message "Invalid Type"
details(12, String) // returns "Invalid Type"

更高级的用法

我们还可以为更高级的数据结构(如对象)提供环境

import {sanitize} from 'sandhands'

sanitize({name: "Timmy", age: 25, favoriteColor: 'yellow'}, {name: String, age: Number, favoriteColor: String}) // Doesn't throw any errors
sanitize({name: "jake", age: 23, favoriteColor: true}, {name: String, age: Number, favoriteColor: String}) // Throws the error "Error: Expected String"

编辑:我开发了 Sandhands 公平警告

于 2021-04-30T22:18:22.583 回答