You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomee.apache.org by sudhakarvm <su...@gmail.com> on 2019/02/04 08:03:43 UTC

Sanitizing the REST input payload

Hi,

We are using Jersey 2 and not overriding the default json serializer and
deserializer ie Jhonzon. So wanted to check whether Jhonzon escapes the
request payload (for avoiding Cross site scripting attacks - XSS) or do we
have to explicitly escape the input. If we have to escape our-self then can
you suggest the best fit escaping (in put sanitizing) API.

Thanks in advance,
Sudhakar



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html

Re: Sanitizing the REST input payload

Posted by Roberto Cortez <ra...@yahoo.com.INVALID>.

Hi Sudhakar,

What really makes a difference is the Object type and Content-Type returned by your API. If it is XML or JSON, it should be escaped by default.

Cheers,
Roberto

> On 4 Feb 2019, at 08:03, sudhakarvm <su...@gmail.com> wrote:
> 
> Hi,
> 
> We are using Jersey 2 and not overriding the default json serializer and
> deserializer ie Jhonzon. So wanted to check whether Jhonzon escapes the
> request payload (for avoiding Cross site scripting attacks - XSS) or do we
> have to explicitly escape the input. If we have to escape our-self then can
> you suggest the best fit escaping (in put sanitizing) API.
> 
> Thanks in advance,
> Sudhakar
> 
> 
> 
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html