New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape char handling #513
Comments
If your API is not exposed to the Internet or called by SPA directly, the SanitizerHandler can be skipped. However, we still need to resolve this issue regardless of the location of the SanitizerHandler. |
Is this API a read-only API? If yes, there is no need to have the sanitizer handler in the request/response chain. |
I have reviewed the https://github.com/OWASP/owasp-java-encoder again as I always doubt it is a good idea to blindly apply the encoding for JSON body of APIs. The library was not updated since the first release and the encoding is based on the context mostly applied to JSP and server-side rendering. In the JSON based API, there is no context available and now we just apply the JavaScriptSource encoding. It is only valid for a small percentage of use cases. In the next release, I am going to disable this handler by default in the sanitizer.yml in the model so that it can be only enabled by externalized config if the particular API needs it with a right context. I am going to open an issue to address the context issue with configuration later. |
API is encountering an issue on escape char.
Request payload has a string like "A'NDERSONoô". But in API's handler it is "A\'NDERSONoô" in the body which saved in exchange attachment.
By debugging, BodyHandler can parse the string as "A'NDERSONoô". However, in SanitizerHandler, it calls Encode.forJavaScriptSource() to encode the string and set it back to body as "A\'NDERSONoô".
API's handler validates the string and found '\' as unacceptable char and then fails the request.
Please advise.
The text was updated successfully, but these errors were encountered: