Spring/Java - Encode HTML Entities + XHR

0
votes

When using regular JSP forms for printing to the client, configuring the web.xml properly works for me (http://stackoverflow.com/questions/2147958/how-do-i-prevent-people-from-doing-xss-in-java).

Is there any "best practice" on how to escape/entityze strings which will be send via JSON to a jQuery function, which then populates the DOM with these values? Any recommended libraries or Spring Web Framework build-ins?

  1. jQuery $.ajax-call to Spring MVC
  2. Spring MVC responds in JSON
  3. (magic encoding happens, e.g. <a> becomes &lt;a&gt; ) <= this one
  4. jQuery receives the JSON and populates the DOM XSS-safe

Thanks in advance!

edit: I am also sometimes sending HTML on purpose, so the solution would need to be able to only handle the user input. It will probably turn out that every user-poisoned string will have to be sanitized manually?

1
javaajaxspringsecurityescaping

1 Answers

1
votes

try this class which I wrote for my use . it may be useful check wether any case is missing . . . as no detailed testing is done on this yet.

If any issue arise please let me know. . . (add corresponding jar Apache commons and net.sf.json)

package myutil;

import java.util.Iterator;

import net.sf.json.JSONArray;

import net.sf.json.JSONObject;

import org.apache.commons.lang.StringEscapeUtils;

public class JSONCleaner {

    public static void main(String[] args) {
        // TODO Auto-generated method stub
        JSONObject jsonchild2=new JSONObject();
        jsonchild2.put("subchlidkey1", "subchildvalue1");
        jsonchild2.put("subchlidkey2", "subchildvalue2");
        jsonchild2.put("subchlidkey3", "subchildvalue3");

        JSONObject jsonchild=new JSONObject();
        jsonchild.put("chlidkey1", "childvalue1");
        jsonchild.put("chlidkey2", "childvalue2");
        jsonchild.put("chlidkey3", "childvalue3");

        JSONArray jsonarray=new JSONArray();
        jsonarray.add("option1");
        jsonarray.add("<p>option2</p>");
        jsonarray.add(jsonchild2);

        JSONObject json=new JSONObject();
        json.put("name", "<b>nirbhay</b>");
        json.put("age", 23);
        json.put("jsonChildObject", jsonchild);
        json.put("weight", 65);
        json.put("array", jsonarray);

        System.out.println(cleanJSONObject(json));
        //System.out.println(json.getString("name"));
    }

    public static JSONObject cleanJSONObject(JSONObject jsonObject)
    {
        JSONObject returnJson=new JSONObject();
        Iterator<?> keys = jsonObject.keys();
        while( keys.hasNext() ){
            String key = (String)keys.next();
            //System.out.println(jsonObject.get(key));
            if(jsonObject.optJSONObject(key)==null)
            {
                if(jsonObject.optJSONArray(key)!=null)
                {
                returnJson.put(key, cleanJSONArray(jsonObject.getJSONArray(key)));
                }
                else
                {
                    returnJson.put(key, StringEscapeUtils.escapeHtml(jsonObject.getString(key)));
                }
            }
            else
            {
                returnJson.put(key,cleanJSONObject(jsonObject.optJSONObject(key)));
            }
        }

        return returnJson;
    }

    private static JSONArray cleanJSONArray(JSONArray array)
    {

        JSONArray returnArray=new JSONArray();
        for(int i=0,j=array.size();i<j;i++)
        {
            if(array.optJSONObject(i)==null)
            {
                if(array.optJSONArray(i) != null)
                {
                returnArray.add(cleanJSONArray((JSONArray) array.get(i)));
                }
                else
                {
                    returnArray.add(StringEscapeUtils.escapeHtml(array.getString(i)));
                }
            }
            else
            {
                returnArray.add(cleanJSONObject((JSONObject) array.get(i)));
            }

        }
        return returnArray;
    }
}