更新时间:2023-11-27 22:43:28
OWASP JSON Sanitizer 将类似JSON的输入转换为语法有效的&可嵌入的JSON.
The OWASP JSON Sanitizer converts JSON-like input to syntactically valid & embeddable JSON.
它通常用于采用"JSON"由服务器上的临时方法(如
It is typically used to take “JSON” produced by ad-hoc methods on the server like
"{ \"output\": " + stringOfJson + " }"
,并确保它在语法上有效 ,以便可以将其传递给客户端上的JSON.parse
,并传递给 embeddable ,以便可以将其嵌入更大的HTML或XML响应
and make sure it's syntactically valid so that it can be passed to JSON.parse
on the client, and embeddable so that it can be embedded in a larger HTML or XML response like
<script>var jsonUsedByScriptsOnPage = {$myJson};</script>
如果您的客户端可能发送狡猾的JSON,则绝对可以在服务器上使用它.
You can definitely use it on your server if your clients are likely to send dodgy JSON.
请注意,您的服务器仍需要将JSON视为不可信,就像它在未使用有效凭据到达的响应中接收到的其他任何字符串一样.
Note that your server still needs to treat the JSON as untrusted just as it would any other string it receives in a response that does not arrive with valid credentials.
https://github.com/OWASP/json-sanitizer#security 解释
消毒JSON无法保护应用程序免受混淆的代理攻击
var myValue = JSON.parse(sanitizedJsonString);
addToAdminstratorsGroup(myValue.propertyFromUntrustedSource);