Reputation: 237
Escape values of a JSON String without breaking the JSON
I'm trying to escape the values from a JSON-String and remove HTML chars (Like <script> etc.) in the backend. I've read that GSON normally does that itself but in my case not because I'm directly filling the javaobject via "fromJson".
If I'm just using the commons library and escape with escapeString or escapeJson it will also escape the double quotes (") and will break then the fromJson function from GSON.
I'm using following functionality to fill the Object:
Gson gson = new GsonBuilder().setDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").create();
DataObject dObject = gson.fromJson(jsonString, DataObject.class);
The json string looks like following (is dynamic):
{"dynamic":[{"id":1,"constrain":"1","value_text":"test"},{"id":11,"constrain":"1","value_boolean":1},],"name":"Xzzz","prename":"XY","language":"e","email":"[email protected]"}
I just want to escape the values of the json string (Like when someone types as name <script>; it should be escaped as <script>)
Has anyone any idea how I could fix that problem?
thanks in advance
Upvotes: 2
Views: 8398
Answers (2)
Reputation: 218
If the content if the Json is correct json you should not worry about html encoding. Any json library will not have automatic html encoding for attributes. If you need to encode as html you can use this lib: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTML(java.lang.String)
If you want to encode for an html attribute assignation (a likely scenario also) you should use this instead: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute(java.lang.String)
my advice is that after any of this encoding you apply:http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForJavaScript(java.lang.String) if your library does not provide this.
In general when encode you have to know how the parsers (Javascript/json/html) in the browser run and in which order.
Upvotes: 1
Reputation: 2330
My guess is you are trying to sanitize the user's input to prevent cross-site scripting. What you probably want to do is use a whitelist for input allowed. Once the input passes you can send it to the backend.
this is a good reference
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
summarized it boils down to this:
String unsafe =
"<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
Upvotes: 2
Related Questions
- How to ask gson to avoid escaping json in a json response?
- Java : Json String with ANSI escape code to Object
- Escape String backslash using GSON
- How to escape the quotes in JSON Object?
- How to parse JSON which has escaped quotes with GSON
- How to escape double quotes in Json using Java Object
- How to escape a string to store in JSON
- Java Json / Gson put json encoded string to jsonObject without string escapes
- JSON strings and how to handle escaped characters
- Gson toJson method includes escape character when printing Strings