Escape char handling #513
Comments
|
If your API is not exposed to the Internet or called by SPA directly, the SanitizerHandler can be skipped. However, we still need to resolve this issue regardless of the location of the SanitizerHandler. |
|
Is this API a read-only API? If yes, there is no need to have the sanitizer handler in the request/response chain. |
|
I have reviewed the https://github.com/OWASP/owasp-java-encoder again as I always doubt it is a good idea to blindly apply the encoding for JSON body of APIs. The library was not updated since the first release and the encoding is based on the context mostly applied to JSP and server-side rendering. In the JSON based API, there is no context available and now we just apply the JavaScriptSource encoding. It is only valid for a small percentage of use cases. In the next release, I am going to disable this handler by default in the sanitizer.yml in the model so that it can be only enabled by externalized config if the particular API needs it with a right context. I am going to open an issue to address the context issue with configuration later. |
API is encountering an issue on escape char.
Request payload has a string like "A'NDERSONoô". But in API's handler it is "A\'NDERSONoô" in the body which saved in exchange attachment.
By debugging, BodyHandler can parse the string as "A'NDERSONoô". However, in SanitizerHandler, it calls Encode.forJavaScriptSource() to encode the string and set it back to body as "A\'NDERSONoô".
API's handler validates the string and found '\' as unacceptable char and then fails the request.
Please advise.
The text was updated successfully, but these errors were encountered: