Re: OWASP JSON sanitizater question
253 views
Skip to first unread message
Mike Samuel
Jun 14, 2016, 9:15:12 AM6/14/16
to Zinger, Jonathan, Polman, Mark, Gijsen, Simon, json-saniti...@googlegroups.com
On Mon, Jun 13, 2016 at 11:59 AM, Zinger, Jonathan
<Jonatha...@emc.com> wrote:
> Dear Mr. Samuel,
>
>
>
> My name is Jonathan Zinger I am a developer at EMC and I would like to ask
> you a question regarding the OWASP JSON sanitizer. In accordance to OWASP
> recommendations we are is using OWASP JSON sanitizer in order to sanitize
> json payload before it is stored. However we’re running across an issue:
>
>
>
> Some of our fields are XML’s, for example:
>
>
>
> {
>
> " foo1":
> "<data><year></year><schoolname>pennst</schoolname></data>",
>
> }
>
>
>
> When we run the payload through the sanitizer this is the output (notice the
> highlighted change)
>
>
>
> {
>
> "foo1":
> "<data><year></year><schoolname>pennst<\/schoolname></data>",
>
> }
This is legal JSON. https://tools.ietf.org/html/rfc7159 says
"""Any character may be escaped. ...
char = unescaped /
escape (
...
%x2F / ; / solidus U+002F
... /
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
"""
> When that XML is then processed into DOM it causes an error since the XML is
> malformed. It seems that the sanitizer replaces every instance of </sc to
> <\/sc in order to prevent a script tag, so this can happen with any XML.
You are right about the reason.
> Is this a known issue? Does the sanitizer support XML as json field? What
> can we do to help fix the issue?
I don't think this is an issue with the JSON sanitizer. It looks like
the processor is not properly parsing JSON.
I would try to fix the parser to properly recognizes escape sequences
in quoted strings.
> Best regards,
>
> Jonathan Zinger
>
>
<Jonatha...@emc.com> wrote:
> Dear Mr. Samuel,
>
>
>
> My name is Jonathan Zinger I am a developer at EMC and I would like to ask
> you a question regarding the OWASP JSON sanitizer. In accordance to OWASP
> recommendations we are is using OWASP JSON sanitizer in order to sanitize
> json payload before it is stored. However we’re running across an issue:
>
>
>
> Some of our fields are XML’s, for example:
>
>
>
> {
>
> " foo1":
> "<data><year></year><schoolname>pennst</schoolname></data>",
>
> }
>
>
>
> When we run the payload through the sanitizer this is the output (notice the
> highlighted change)
>
>
>
> {
>
> "foo1":
> "<data><year></year><schoolname>pennst<\/schoolname></data>",
>
> }
This is legal JSON. https://tools.ietf.org/html/rfc7159 says
"""Any character may be escaped. ...
char = unescaped /
escape (
...
%x2F / ; / solidus U+002F
... /
%x75 4HEXDIG ) ; uXXXX U+XXXX
escape = %x5C ; \
"""
> When that XML is then processed into DOM it causes an error since the XML is
> malformed. It seems that the sanitizer replaces every instance of </sc to
> <\/sc in order to prevent a script tag, so this can happen with any XML.
You are right about the reason.
> Is this a known issue? Does the sanitizer support XML as json field? What
> can we do to help fix the issue?
I don't think this is an issue with the JSON sanitizer. It looks like
the processor is not properly parsing JSON.
I would try to fix the parser to properly recognizes escape sequences
in quoted strings.
> Best regards,
>
> Jonathan Zinger
>
>
Reply all
Reply to author
Forward
0 new messages