Mike Samuel
unread,Jun 14, 2016, 9:15:12 AM6/14/16Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Zinger, Jonathan, Polman, Mark, Gijsen, Simon, json-saniti...@googlegroups.com
On Mon, Jun 13, 2016 at 11:59 AM, Zinger, Jonathan
<
Jonatha...@emc.com> wrote:
> Dear Mr. Samuel,
>
>
>
> My name is Jonathan Zinger I am a developer at EMC and I would like to ask
> you a question regarding the OWASP JSON sanitizer. In accordance to OWASP
> recommendations we are is using OWASP JSON sanitizer in order to sanitize
> json payload before it is stored. However we’re running across an issue:
>
>
>
> Some of our fields are XML’s, for example:
>
>
>
> {
>
> " foo1":
> "<data><year></year><schoolname>pennst</schoolname></data>",
>
> }
>
>
>
> When we run the payload through the sanitizer this is the output (notice the
> highlighted change)
>
>
>
> {
>
> "foo1":
> "<data><year></year><schoolname>pennst<\/schoolname></data>",
>
> }
This is legal JSON.
https://tools.ietf.org/html/rfc7159 says
"""Any character may be escaped. ...
char = unescaped /
escape (
...
%x2F / ; / solidus U+002F
... /
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
"""
> When that XML is then processed into DOM it causes an error since the XML is
> malformed. It seems that the sanitizer replaces every instance of </sc to
> <\/sc in order to prevent a script tag, so this can happen with any XML.
You are right about the reason.
> Is this a known issue? Does the sanitizer support XML as json field? What
> can we do to help fix the issue?
I don't think this is an issue with the JSON sanitizer. It looks like
the processor is not properly parsing JSON.
I would try to fix the parser to properly recognizes escape sequences
in quoted strings.
> Best regards,
>
> Jonathan Zinger
>
>