json icon indicating copy to clipboard operation
json copied to clipboard

Published 20 hours ago verified publisher icon flori

JSON output should prevent content-sniffing

Open meder opened this issue 13 years ago • 7 comments

To ensure that JSON output of this library doesn't result in cross-site scripting(XSS) due to content-sniffing [1] please add the following:

  • Use \xNN escape sequences to substitute characters in the 0x00 - 0x1F range, <, >, and any characters above 0x7F.
  • Add 'Content-Disposition: attachment' header to discourage browsers/plugins from rendering data
  1. http://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors

meder avatar Dec 12 '11 23:12 meder

ping

meder avatar Jan 04 '12 03:01 meder

The content disposition part is not part of this fix.. since this gem is just the encoder / decoder, but the escaping would be important to fix.

@flori: any thoughts on the above?

igrigorik avatar Jan 13 '12 00:01 igrigorik

The 0x00–0x1f range is always escaped. The non-ASCII range is escaped when :ascii_only is set (defaults to false). But I think escaping < (by default!) would be great, as it would avoid HTML content sniffers and certain attacks involving </script> tags. Once that's done, I'm not sure escaping > is needed.

mernen avatar Feb 11 '12 00:02 mernen

ping?

re escaping < only, what's the idea behind that? why not escape both < and >?

meder avatar Mar 02 '12 00:03 meder

Just saving a few bytes, nothing more. (That's +5 bytes per escaped character, since JSON has no \xNN form)

mernen avatar Mar 02 '12 00:03 mernen

seem like an over optimization to me, after all this is 2012 :)

meder avatar Mar 02 '12 00:03 meder

is anyone working on this? or are you expecting a pull request?

meder avatar Mar 06 '12 06:03 meder