[2.0] sanitizing / scrubbing input

[Daniel Spangler]

What techniques are people using to sanitize their input in Play apps.  I'm specifically interested in input coming in via JSON requests.  

- Are you scrubbing the raw content before you pass it to your json parser?

- Are you transforming to java objects and then sanitizing the individual properties?

- Do you have some special jackson serializers that do the work behind the scenes?

Sincerely,

Daniel

[Will Sargent]

I'm using the Scala JSON API to pull data out directly.

http://www.playframework.com/documentation/2.0/ScalaJson
http://mandubian.com/2012/09/08/unveiling-play-2-dot-1-json-api-part1-jspath-reads-combinators/
http://mandubian.com/2012/10/01/unveiling-play-2-dot-1-json-api-part2-writes-format-combinators/
http://mandubian.com/2012/10/29/unveiling-play-2-dot-1-json-api-part3-json-transformers/

Once I have the raw data, I use value classes with an object to
provide an Option[ValidatedClass] that returns Some[ValidatedClass] if
the validation was successful.

http://tersesystems.com/2012/12/16/problems-scala-fixes
http://docs.scala-lang.org/overviews/core/value-classes.html

Works pretty well.

Will.

> --
> You received this message because you are subscribed to the Google Groups
> "play-framework" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to play-framewor...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[James Roper]

On Fri, Feb 22, 2013 at 7:23 PM, Daniel Spangler <daniel....@gmail.com> wrote:

What techniques are people using to sanitize their input in Play apps.  I'm specifically interested in input coming in via JSON requests.  

What do you mean by sanitise?  If you mean remove certain characters that could be used to exploit XSS vulnerabilities, then you're going about it the wrong way, since it's not what gets input that matters, it's where you're outputting the data that matters.  For example you might be outputting it in the following places:

* HTML text content

* HTML attributes

* Javascript strings

* SQL queries

* URL query parameters

The escaping that needs to be done in these situations is all completely different, you cannot possible modify the input to safely sanitise for all of these.  And if you do, you'll end up annoying every Irish person since they won't be able to enter their true last name into your fields because you'll call the valid characters of their last name invalid (eg O'Flynn).

Don't sanitise input.  Sanitise output.  Play does this for you in Scala templates by default for HTML.

 

- Are you scrubbing the raw content before you pass it to your json parser?

- Are you transforming to java objects and then sanitizing the individual properties?

- Do you have some special jackson serializers that do the work behind the scenes?

Sincerely,

Daniel

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
James Roper
Software Engineer

Typesafe - The software stack for applications that scale
Twitter: @jroper

[Daniel Spangler]

Thanks for the input.  This is the sort of response I was hoping for.

Daniel