neo icon indicating copy to clipboard operation
neo copied to clipboard

Published 20 hours ago verified publisher icon neo-project

fix `+` in json

Open shargon opened this issue 10 months ago • 1 comments

Description

Fix https://github.com/neo-project/neo/issues/2612 Based on https://github.com/neo-project/neo/pull/2050/files

Type of change

  • [x] Optimization (the change is only an optimization)
  • [ ] Style (the change is only a code style for better maintenance or standard purpose)
  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] This change requires a documentation update

How Has This Been Tested?

  • [x] JsonTest_Object

Test Configuration:

Checklist:

  • [ ] My code follows the style guidelines of this project
  • [ ] I have performed a self-review of my code
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] My changes generate no new warnings
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [ ] New and existing unit tests pass locally with my changes
  • [ ] Any dependent changes have been merged and published in downstream modules

shargon avatar Jan 08 '25 19:01 shargon

This can lead to some state diff, needs to be checked.

roman-khimov avatar Jan 09 '25 19:01 roman-khimov

Maybe we can use UnsafeRelaxedJsonEscaping? https://learn.microsoft.com/en-us/dotnet/standard/serialization/system-text-json/character-encoding#serialize-all-characters

erikzhang avatar Oct 10 '25 02:10 erikzhang

Maybe we can use UnsafeRelaxedJsonEscaping? https://learn.microsoft.com/en-us/dotnet/standard/serialization/system-text-json/character-encoding#serialize-all-characters

We tried that and works great. However it allows for XSS Injection and other security problems.

cschuchardt88 avatar Oct 10 '25 16:10 cschuchardt88

Maybe we can use UnsafeRelaxedJsonEscaping? https://learn.microsoft.com/en-us/dotnet/standard/serialization/system-text-json/character-encoding#serialize-all-characters

I remember that we tried with bad results, other characters are not scaped, maybe the '+' I don't remember very well, maybe @roman-khimov yes

shargon avatar Oct 10 '25 16:10 shargon

See #2050. While the problem is valid and it'd be nice to fix it, I fear changing anything can break things.

roman-khimov avatar Oct 10 '25 19:10 roman-khimov

Maybe we can use UnsafeRelaxedJsonEscaping? https://learn.microsoft.com/en-us/dotnet/standard/serialization/system-text-json/character-encoding#serialize-all-characters

I remember that we tried with bad results, other characters are not scaped, maybe the '+' I don't remember very well, maybe @roman-khimov yes

I based off the things I tested on my local machine it worked for + sign.. But now I remember that Escape characters and Strict UTf-8 didnt work.

cschuchardt88 avatar Oct 11 '25 02:10 cschuchardt88

We tried that and works great. However it allows for XSS Injection and other security problems.

Putting strings directly into HTML without processing will always bring security issues. I don't think solving the XSS injection problem should be implemented by the contract interaction interface.

erikzhang avatar Oct 11 '25 06:10 erikzhang