JSON 消毒的 JSoup 与 OWSAP AntiSamy
JSoup vs OWSAP AntiSamy for JSON Sanitization
我正在寻找一个库来执行 JSON Santization 并遇到了 JSoup 和 OWSAP AntiSamy。看起来 AntiSamy 只做 HTML 消毒,还有一个单独的项目用于 JSON 消毒。此外,JSoup 似乎没有提到 JSON 消毒。
JSoup 和 OWSAP AntiSamy 是否执行 JSON 清理?
OWASP 有一个 JSON sanitizer project,与 AntiSamy 分开,可以将 JSON 类内容转换为句法正确且可嵌入的 JSON。
The output is well-formed JSON as defined by RFC 4627. The output satisfies three additional properties:
- The output will not contain the substring (case-insensitively) "
</script" so can be embedded inside an HTML script element without further encoding.
- The output will not contain the substring "
]]>" so can be embedded inside an XML CDATA section without further encoding.
- The output is a valid Javascript expression, so can be parsed by Javascript's
eval builtin (after being wrapped in parentheses) or by JSON.parse. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).
- The output contains only valid Unicode scalar values (no isolated UTF-16 surrogates) that are allowed in XML unescaped.
如果您有预定义的数据结构,我建议考虑 Sandhands 进行卫生处理。 Sandhands 确保您的数据遵循特定格式。
来自文档的片段:
基本出口
import {sanitize, valid, details} from 'sandhands'
valid(12, String) // returns false
sanitize(12, String) // throws error with message "Invalid Type"
details(12, String) // returns "Invalid Type"
更高级的用法
我们还可以为对象等更高级的数据结构提供卫生设施
import {sanitize} from 'sandhands'
sanitize({name: "Timmy", age: 25, favoriteColor: 'yellow'}, {name: String, age: Number, favoriteColor: String}) // Doesn't throw any errors
sanitize({name: "jake", age: 23, favoriteColor: true}, {name: String, age: Number, favoriteColor: String}) // Throws the error "Error: Expected String"
编辑:我开发了 Sandhands 公平警告
我正在寻找一个库来执行 JSON Santization 并遇到了 JSoup 和 OWSAP AntiSamy。看起来 AntiSamy 只做 HTML 消毒,还有一个单独的项目用于 JSON 消毒。此外,JSoup 似乎没有提到 JSON 消毒。
JSoup 和 OWSAP AntiSamy 是否执行 JSON 清理?
OWASP 有一个 JSON sanitizer project,与 AntiSamy 分开,可以将 JSON 类内容转换为句法正确且可嵌入的 JSON。
The output is well-formed JSON as defined by RFC 4627. The output satisfies three additional properties:
- The output will not contain the substring (case-insensitively) "
</script" so can be embedded inside an HTML script element without further encoding.- The output will not contain the substring "
]]>" so can be embedded inside an XML CDATA section without further encoding.- The output is a valid Javascript expression, so can be parsed by Javascript's
evalbuiltin (after being wrapped in parentheses) or byJSON.parse. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).- The output contains only valid Unicode scalar values (no isolated UTF-16 surrogates) that are allowed in XML unescaped.
如果您有预定义的数据结构,我建议考虑 Sandhands 进行卫生处理。 Sandhands 确保您的数据遵循特定格式。
来自文档的片段:
基本出口
import {sanitize, valid, details} from 'sandhands'
valid(12, String) // returns false
sanitize(12, String) // throws error with message "Invalid Type"
details(12, String) // returns "Invalid Type"
更高级的用法
我们还可以为对象等更高级的数据结构提供卫生设施
import {sanitize} from 'sandhands'
sanitize({name: "Timmy", age: 25, favoriteColor: 'yellow'}, {name: String, age: Number, favoriteColor: String}) // Doesn't throw any errors
sanitize({name: "jake", age: 23, favoriteColor: true}, {name: String, age: Number, favoriteColor: String}) // Throws the error "Error: Expected String"
编辑:我开发了 Sandhands 公平警告