You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Media type parameters are not allowed by the spec, explicitly forbidden. This includes charset.
In an effort to comply with this, I was looking into how to disable the default charset being set when using express.js.
Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.
Express.js is one of the most well-used node libraries, and it's prohibitively hard to work around this, especially within the bounds of a self-built application framework.
While it might be the "correct and valid" approach to say no media type parameters are allowed, are they doing any harm if included? It seems more, the inverse is true here.
The text was updated successfully, but these errors were encountered:
JSON text exchanged between systems that are not part of a closed ecosystem MUST be encoded using UTF-8
Since JSON:API is of course based on JSON, this applies to us as well.
I talked with @gabesullice about this issue today. We're both in favor of adding an explicit exception for the charset, stating that if this parameter is present, its value MUST be UTF-8. And if it's not present, then UTF-8 should be assumed.
Thanks for raising this. I think it will be useful to address this explicitly.
Media type parameters are not allowed by the spec, explicitly forbidden. This includes charset.
In an effort to comply with this, I was looking into how to disable the default charset being set when using express.js.
Turns out, you cannot:
expressjs/express#3490 (comment)
Later in the GH issue, there's a link to a more detailed article, which I can't claim to fully understand, nor do I have the time to do a deep dive on it: https://portswigger.net/research/json-hijacking-for-the-modern-web
Express.js is one of the most well-used node libraries, and it's prohibitively hard to work around this, especially within the bounds of a self-built application framework.
While it might be the "correct and valid" approach to say no media type parameters are allowed, are they doing any harm if included? It seems more, the inverse is true here.
The text was updated successfully, but these errors were encountered: