spring - How to encode response to JSON in filter without failing XSS

Question

BELOW IS THE static code analysis report from SpotBugs

XSS_SERVLET: Potential XSS in Servlet A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)

Vulnerable Code:

protected void doGet(HttpServletRequest req, HttpServletResponse resp) 
throws ServletException, IOException {
String input1 = req.getParameter("input1");
[...]
resp.getWriter().write(input1);
}

Solution:

protected void doGet(HttpServletRequest req, HttpServletResponse resp)     throws ServletException, IOException {
    String input1 = req.getParameter("input1");
    [...]
    resp.getWriter().write(Encode.forHtml(input1))

Encode.forJava for JavaScript is writing special chars and JSON string is compromised.

How to use Encoder to send JSON string. without failing security CHECK

score 0 · Accepted Answer

也许你可以看看 OWASP JSON sanitizer https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Main？

spring - How to encode response to JSON in filter without failing XSS

1 回答 1

Related

Reference