my question is more security related. please consider the following code in java:
我的问题更安全相关。请在java中考虑以下代码:
public static void DoGet(HttpServletRequest request , HttpServletResponse response) throws IOException
{
String input = request.getParameter("input");
response.setContentType("application/json"); //FP
response.getWriter().println(input);
}
if input equals a simple string , what will be passed to the client for the code above? for example I try to pass a javascript script in the code above will setting application/json to the response type sanitize from XSS? thanks, Mary
如果输入等于一个简单的字符串,那么将为上面的代码传递给客户端的内容是什么?例如,我尝试在上面的代码中传递一个javascript脚本,将application / json设置为来自XSS的响应类型sanitize?谢谢,玛丽
1 个解决方案
#1
0
Setting the content type doesn't do anything on the server side ... apart from telling the client side to interpret the content a particular way. It certainly doesn't do any server-side sanitization. If sanitization is required, it needs to be done before / as the JSON is generated on the server side.
设置内容类型在服务器端没有任何作用...除了告诉客户端以特定方式解释内容。它当然不会进行任何服务器端清理。如果需要清理,则需要在服务器端生成JSON之前/之前完成。
Having said that, with a properly implemented browser and properly implemented web pages, nothing should be "evaluating" the JSON on the client side. If there was tricky stuff in the input parameter in your example, the client-side JSON parser should code with it ... and treat it as invalid JSON. But, there are potential risks if:
话虽如此,通过正确实现的浏览器和正确实现的网页,没有什么应该在客户端“评估”JSON。如果您的示例中的输入参数中存在棘手的内容,则客户端JSON解析器应使用它进行编码...并将其视为无效的JSON。但是,如果出现以下情况,则存在潜
- the values passed in the JSON were used to build dynamic web content; i.e. embedded in HTML, or
- JSON中传递的值用于构建动态Web内容;即嵌入HTML,或
- they were used to form HTTP requests back to your server, or another one.
- 它们被用于将HTTP请求形成回服务器或其他服务器。
So server-side sanitization is advisable.
因此建议进行服务器端清理。
#1
0
Setting the content type doesn't do anything on the server side ... apart from telling the client side to interpret the content a particular way. It certainly doesn't do any server-side sanitization. If sanitization is required, it needs to be done before / as the JSON is generated on the server side.
设置内容类型在服务器端没有任何作用...除了告诉客户端以特定方式解释内容。它当然不会进行任何服务器端清理。如果需要清理,则需要在服务器端生成JSON之前/之前完成。
Having said that, with a properly implemented browser and properly implemented web pages, nothing should be "evaluating" the JSON on the client side. If there was tricky stuff in the input parameter in your example, the client-side JSON parser should code with it ... and treat it as invalid JSON. But, there are potential risks if:
话虽如此,通过正确实现的浏览器和正确实现的网页,没有什么应该在客户端“评估”JSON。如果您的示例中的输入参数中存在棘手的内容,则客户端JSON解析器应使用它进行编码...并将其视为无效的JSON。但是,如果出现以下情况,则存在潜
- the values passed in the JSON were used to build dynamic web content; i.e. embedded in HTML, or
- JSON中传递的值用于构建动态Web内容;即嵌入HTML,或
- they were used to form HTTP requests back to your server, or another one.
- 它们被用于将HTTP请求形成回服务器或其他服务器。
So server-side sanitization is advisable.
因此建议进行服务器端清理。