我正在寻找一个库来执行 JSON Santization,并遇到了 JSoup 和 OWSAP AntiSamy。看起来 AntiSamy 只做 HTML Sanitization,并且有一个单独的 JSON Sanitization 项目。JSoup 似乎也没有提到 JSON 清理。
JSoup和 OWSAP AntiSamy 是否执行 JSON 清理?
我正在寻找一个库来执行 JSON Santization,并遇到了 JSoup 和 OWSAP AntiSamy。看起来 AntiSamy 只做 HTML Sanitization,并且有一个单独的 JSON Sanitization 项目。JSoup 似乎也没有提到 JSON 清理。
JSoup和 OWSAP AntiSamy 是否执行 JSON 清理?
OWASP has a JSON sanitizer project, separate from AntiSamy, that converts JSON-like content to syntactically correct and embeddable JSON.
The output is well-formed JSON as defined by RFC 4627. The output satisfies three additional properties:
- The output will not contain the substring (case-insensitively) "
</script
" so can be embedded inside an HTML script element without further encoding.- The output will not contain the substring "
]]>
" so can be embedded inside an XML CDATA section without further encoding.- The output is a valid Javascript expression, so can be parsed by Javascript's
eval
builtin (after being wrapped in parentheses) or byJSON.parse
. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).- The output contains only valid Unicode scalar values (no isolated UTF-16 surrogates) that are allowed in XML unescaped.
如果您有预定义的数据结构,我建议您考虑使用 Sandhands进行卫生处理。Sandhands 确保您的数据遵循特定格式。
来自文档的片段:
import {sanitize, valid, details} from 'sandhands'
valid(12, String) // returns false
sanitize(12, String) // throws error with message "Invalid Type"
details(12, String) // returns "Invalid Type"
我们还可以为更高级的数据结构(如对象)提供环境
import {sanitize} from 'sandhands'
sanitize({name: "Timmy", age: 25, favoriteColor: 'yellow'}, {name: String, age: Number, favoriteColor: String}) // Doesn't throw any errors
sanitize({name: "jake", age: 23, favoriteColor: true}, {name: String, age: Number, favoriteColor: String}) // Throws the error "Error: Expected String"
编辑:我开发了 Sandhands 公平警告