yukozh
commented
7 years ago Which lib are you using?
Closed webbkvalite closed 7 years ago
yukozh
commented
7 years ago Which lib are you using?
webbkvalite
commented
7 years ago "Pomelo.AspNetCore.AntiXSS": "1.0.0-prerelease-20160813",
...and github removed parts of the string, sorry, let's try again:
The input is:
[{"id":"4e5pv","q":"asdf<span class="read-me">some text a","sa":"more text"}]
The output is:
[{"id":"4e5pv","q":"asdf<span class="\"read-me\"">some text</span> a","sa":"more text"}]
webbkvalite
commented
7 years ago OK, I've upgraded to
"Pomelo.AspNetCore.AntiXSS": "1.1.0-rtm-10031"
The problem remains, so it's adding \" to html-strings inside a serialized JSON-object.
yukozh
commented
7 years ago Why you use antixss to filter a json? antixss should be used in sanitize html scenario.
webbkvalite
commented
7 years ago Frontend is collecting answers from the users. The answers contain html that will displayed to others. Since the answers are nested I have to serialize them into a single field before posting them to server.
AntiXss filters the serialized string in OWIN before it reaches the MVC-controller. Maybe a workaround could be to
What do you think?
...and thank you for your good work!
webbkvalite
commented
7 years ago OK, I changed to .net MVC's built-in handling of Lists of objects. This flattened the JSON-object into plain fields in the post-request, which now are filtered individually. Everything is working fine!
When posting the following string (a stringified json-object with quotes inside): [{"id":"4e5pv","q":"asdf<span class=\"read-me\">some text a","sa":"more text"}]
It renders as: [{"id":"4e5pv","q":"asdfsome text a","sa":"more text"}]
Is there a way to keep the escaped quotes from being modified? As it is now, it throws when trying to parse back to JSON.