Sanitize the HTML in JSON input

[ashish...@gmail.com]

Can we sanitize the HTML if I am passing a JSON using the application/json content-type?

[Mike Samuel]

No.  

You can run it on the content of strings before composing your JSON, but not on the output JSON itself.

The sanitizer needs to be able to remove tags and attributes without worrying about whether it is breaking token boundaries in some other language.

For example, the following string is both a valid HTML document fragment and a string that many tolerant JSON parsers would accept:

[

  "<code>\</code>",",alert(1)//"

]

but if passed through an HTML sanitizer which did not whitelist the <code> element, you would get

[

  "\",",alert(1)//"

]

which, if it was unwisely parsed using JavaScript's eval(...) would end up running the equivalent of

[

  "\u0022,",

  alert(1)

]

I'm pretty sure that people who are better than me at coming up with attacks could come up with something that both is valid JSON, and which, run though a common sanitizer policy, would be valid JavaScript that has a side effect and/or free variables.

On Mon, Jan 29, 2018 at 6:51 AM, <ashish...@gmail.com> wrote:

Can we sanitize the HTML if I am passing a JSON using the application/json content-type?

--
You received this message because you are subscribed to the Google Groups "OWASP Java HTML Sanitizer Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-java-html-sanitizer-support+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.