#Fix: Sanitize SPA JSON response within HTML response in order to avoid <script> parsing conflicts. (#633)

ggallotti · web-flow · commit 1bdca1d3e49e · 2022-10-31T15:13:32.000-03:00
Issue: 99580
diff --git a/java/src/main/java/com/genexus/internet/HttpContext.java b/java/src/main/java/com/genexus/internet/HttpContext.java
@@ -22,6 +22,7 @@
 import com.genexus.webpanels.GXWebObjectBase;
 import com.genexus.webpanels.WebSession;
 
+import com.genexus.webpanels.WebUtils;
 import json.org.json.IJsonFormattable;
 import json.org.json.JSONArray;
 import json.org.json.JSONException;
@@ -943,7 +944,7 @@ public void SendState()
 		AddStylesheetsToLoad();
 		if (isSpaRequest())
 		{
-			writeTextNL("<script>gx.ajax.saveJsonResponse(" + getJSONResponse() + ");</script>");
+			writeTextNL("<script>gx.ajax.saveJsonResponse(" + WebUtils.htmlEncode(JSONObject.quote(getJSONResponse()), true) + ");</script>");
 		}
 		else
 		{				

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`import com.genexus.webpanels.GXWebObjectBase;`
`23`	`23`	`import com.genexus.webpanels.WebSession;`
`24`	`24`
	`25`	`+import com.genexus.webpanels.WebUtils;`
`25`	`26`	`import json.org.json.IJsonFormattable;`
`26`	`27`	`import json.org.json.JSONArray;`
`27`	`28`	`import json.org.json.JSONException;`
`@@ -943,7 +944,7 @@ public void SendState()`
`943`	`944`	`AddStylesheetsToLoad();`
`944`	`945`	`if (isSpaRequest())`
`945`	`946`	`{`
`946`		`- writeTextNL("<script>gx.ajax.saveJsonResponse(" + getJSONResponse() + ");</script>");`
	`947`	`+ writeTextNL("<script>gx.ajax.saveJsonResponse(" + WebUtils.htmlEncode(JSONObject.quote(getJSONResponse()), true) + ");</script>");`
`947`	`948`	`}`
`948`	`949`	`else`
`949`	`950`	`{`