gaellalire commented on PR #122:
URL: https://github.com/apache/johnzon/pull/122#issuecomment-1997956222
Hello @rmannibucau,
This code
```java
final MyModel object = new
MyModel("<script>alert('boom')</script>");
System.out.println("create: " + object + " - "
+ System.identityHashCode(object));
final Mapper mapper = new
MapperBuilder().build();
ByteArrayOutputStream byteArrayOutputStream =
new ByteArrayOutputStream();
mapper.writeObject(object,
byteArrayOutputStream);
byte[] byteArray =
byteArrayOutputStream.toByteArray();
System.out.println("serialize: " + new
String(byteArray));
final MyModel otherObject =
mapper.readObject(new ByteArrayInputStream(byteArray), MyModel.class);
System.out.println("unserialize: " +
otherObject + " - " + System.identityHashCode(otherObject));
```
will produce
```
create: <script>alert('boom')</script> - 366712642
serialize: {"name":"\u003Cscript\u003Ealert('boom')\u003C/script\u003E"}
unserialize: <script>alert('boom')</script> - 1419810764
```
with the patch and not
```
unserialize: \u003Cscript\u003Ealert('boom')\u003C/script\u003E - 1419810764
```
as you maybe have expected.
There is no need to change the read part to be symmetric both '<' and
'\u003C' will produce the same java char '<'. It is only another way to print
the char in a JSON string.
I was debuging TomEE and I think this is the only place to have a safe
response in all our REST methods using JaxRS. If you think there is better
place / layer please tell me where. I don't want to escape input parameters,
because we will lose ability to access / research objects containing '<' or
'>', so for me the response must be escaped and I did not see another place.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
