Open alexanderkjeldaas opened 10 years ago
@alexanderkjeldaas What do you suggest to do here? Do you want a way to register a postprocessor for json
responses? E.g.
tranformJSON :: (ByteString -> ByteString) -> ActionM ()
that can then be used like so:
main = scotty 3000 $ do
tranformJSON (")]}',\n" <>)
get "/" $ do
json [23 :: Int, 42]
Yes, something like that. With a focus on ensuring that it is unlikely that an uprotected json response will be sent in a large application.
With a focus on ensuring that it is unlikely that an uprotected json response will be sent in a large application.
What do you have in mind here? AFAIK, sending JSON objects
s is fine. So if the user already follows the convention to always wrap things in a top-level object, no mitigation is needed. I assumed it's on the users discretion to enable any form of mitigation.
An other approach would be to check if the provided JSON Value
is an object. If it is not an object, we could wrap it (e.g. {"value" : ...}
). Not sure if that is desirable?
Angular will automatically strip ")]}',\n" from json responses.
https://docs.angularjs.org/api/ng/service/$http http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/