gaellalire commented on PR #122:
URL: https://github.com/apache/johnzon/pull/122#issuecomment-1998060261
> to me it sounds more like you want to sanitize whatever json johnzon
produced (from probably untrusted input).
Yes because of the number of method I have, I prefer a global solution.
Security team don't want script injection, I don't want to change existing
behavior.
You can escape < to < but in that case you will have to ask all of your
clients to add unescapeHTML in their code (every methods, every string fields
...).
The beauty here is that this escape is not a real one for JSON ( "\u003C" =
"<" : it is just another way to write it) while for an HTML parser ("\u003C"
!= "<") it will behave differently.
So with that patch, REST clients have nothing to change and security team
cannot insert script tags.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@johnzon.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
