I'm trying to escape the values from a JSON-String and remove HTML chars (Like <script> etc.) in the backend. I've read that GSON normally does that itself but in my case not because I'm directly filling the javaobject via "fromJson".
If I'm just using the commons library and escape with escapeString or escapeJson it will also escape the double quotes (") and will break then the fromJson function from GSON.
I'm using following functionality to fill the Object:
Gson gson = new GsonBuilder().setDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").create();
DataObject dObject = gson.fromJson(jsonString, DataObject.class);
The json string looks like following (is dynamic):
{"dynamic":[{"id":1,"constrain":"1","value_text":"test"},{"id":11,"constrain":"1","value_boolean":1},],"name":"Xzzz","prename":"XY","language":"e","email":"x@xy.com"}
I just want to escape the values of the json string (Like when someone types as name <script>; it should be escaped as <script>)
Has anyone any idea how I could fix that problem?
thanks in advance
My guess is you are trying to sanitize the user's input to prevent cross-site scripting. What you probably want to do is use a whitelist for input allowed. Once the input passes you can send it to the backend.
this is a good reference
http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
summarized it boils down to this:
String unsafe =
"<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>