antisamy icon indicating copy to clipboard operation
antisamy copied to clipboard
verified publisher icon nahsra

How to solve the problem of " being escaped in json strings

Open aduoer opened this issue 9 months ago • 5 comments

Input: { "names":"["alex","bob"]" } Expected output: { "names":"["alex","bob"]" } Current output: { "names":"[&quto;alex&quto;,&quto;bob&quto;]" }

antisamy version: 1.7.7

aduoer avatar Feb 26 '25 03:02 aduoer

Can you please explain how you are using AntiSamy to do this? We need more details to be able to review/respond appropriately. cc @spassarop

davewichers avatar Feb 26 '25 14:02 davewichers

Can you please explain how you are using AntiSamy to do this? We need more details to be able to review/respond appropriately. cc @spassarop

When using AntiSamy as an XSS filter, if your input parameters contain JSON strings and you want to avoid converting escaped characters like " back to " after processing, here's the solution:

​Problem Analysis AntiSamy automatically escapes special characters to sanitize HTML/XML contexts. However, this breaks JSON validity if the input is a JSON string (e.g., {"key":"value"} becomes {"key":"value"}).

aduoer avatar Feb 27 '25 03:02 aduoer

@aduoer - Can you edit your response to properly escape it, because all your encoded stuff is decoded automatically when viewing it. You need to look at the 'Preview' view to make sure it looks like you intend.

davewichers avatar Feb 27 '25 15:02 davewichers

Also, it would be better to provide a Java test case so it can be debugged with the expected behavior.

spassarop avatar Mar 09 '25 16:03 spassarop

Can you please explain how you are using AntiSamy to do this? We need more details to be able to review/respond appropriately. cc @spassarop

When using AntiSamy as an XSS filter, if your input parameters contain JSON strings and you want to avoid converting escaped characters like " back to " after processing, here's the solution:

​Problem Analysis AntiSamy automatically escapes special characters to sanitize HTML/XML contexts. However, this breaks JSON validity if the input is a JSON string (e.g., {"key":"value"} becomes {"key":"value"}).

It sounds as though perhaps you are using an interceptor type of approach such as a Spring Interceptor or Java EE (or Jakarta) Servlet Filter. If you are in fact using AntiSamy as a general solution to address all your XSS defenses using an approach like that and you believe that alone is sufficient, you are unfortunately wrong. That is a popular anti-pattern that was spread through misinformed web articles in the early 2000s and then took on a life of their own when the were the top answer in Stack Overflow when searching for "XSS defense". Recently, I added the section "Common Anti-patterns: Ineffective Approaches to Avoid" in the "OWASP Cross Site Scripting Prevention Cheat Sheet". If that indeed is what you are doing, you definitely should read at least that section.

kwwall avatar Mar 09 '25 17:03 kwwall