I saw the following comment in Spring JSON messageConverter:
/**
* Indicate whether the JSON output by this view should be prefixed with "{} &&". Default is false.
* <p>Prefixing the JSON string in this manner is used to help prevent JSON Hijacking.
* The prefix renders the string syntactically invalid as a script so that it cannot be hijacked.
* This prefix does not affect the evaluation of JSON, but if JSON validation is performed on the
* string, the prefix would need to be ignored.
*/
How does string prefixing work to prevent JSON hijacks?
Contrived example: say Google has a URL like mail.google.com/json?action=inbox which returns the first 50 messages of your inbox in JSON format. Evil websites on other domains can't make AJAX requests to get this data due to the same-origin policy, but they can include the URL via a tag. The URL is visited with your cookies, and by overriding the global array constructor or accessor methods they can have a method called whenever an object (array or hash) attribute is set, allowing them to read the JSON content.
The {} && prevents this: an AJAX request at mail.google.com will have full access to the text content, and can strip it away. But a tag insertion blindly executes the JavaScript without any processing. Since {} is a falsey value the actual response would never be parsed
Other frameworks add different content to the response, like while(1); (example from Google) which causes an infinite loop for a hacker, but we can strip it out on our own site
The addition of the prefix will invalidate the string.
I think you may want to check this Stackoverflow question and comments to it:
Difference between ")]}',\n" and "{} &&" in avoiding json hijacking
Related
I have a request as follows:
localhost:8000/location/:01
My code takes as input an HttpContext request.
func(HttpExchange r) {
String area_path = r.getRequestURI(); // Equals string "/location/"
}
How do I parse an HttpExchange correctly so I can pull out the "01" from this path and store it as a variable?
That (localhost:8000/location/:01) is not a valid URL or URI
A plain colon character is not legal in the path of a URL or URI. If you want to put a colon in the path, it must be percent-encoded. Furthermore, if this was a URL, it would start with a protocol; e.g. http:.
Now ... it is unclear what the HTTP stack you are using will do with a syntactically incorrect URL / URI, but it could simply be ignoring the colon and the characters after it.
Your code looks a bit odd too. You have tagged the question as [java]. But the code looks like JavaScript rather than Java; i.e. func is a Javascript keyword. But it also looks like you are using the (deprecated) com.sun.net.httpserver.HttpExchange Java class. I don't know what to make of that ...
My advice:
Don't use a colon character in the URL path.
If you must do it, then percent-encode the colon it.
If you cannot encode it properly, then you may need to find and use a different framework for your HTTP request handling. One that will accept and handle a malformed URL / URI in the way that you want. (Good luck finding one!)
Unfortunately, the details in your question are too sketchy to give more detailed advice.
In my HQL i'm using
queryListBuilder.append(" and f.nom like '%"+ nomFil +"%' ");
nomFil is a string that may contain white spaces between words.
when i send
http://localhost:8080/list?nom=First Last
I got empty result.
Ps: in my DB the value exists in my target table.
is there any way to handel white spaces in request parameters?
You need to encode and decode the query params.
Ref : https://www.baeldung.com/java-url-encoding-decoding
You should encode nomFil if using inside URL,as:
URLEncoder.encode(nomFil, "UTF-8");
See Percent encoding
Percent-encoding, also known as URL encoding, is a mechanism for encoding information in a Uniform Resource Identifier (URI) under certain circumstances. Although it is known as URL encoding it is, in fact, used more generally within the main Uniform Resource Identifier (URI) set, which includes both Uniform Resource Locator (URL) and Uniform Resource Name (URN). As such, it is also used in the preparation of data of the application/x-www-form-urlencoded media type, as is often used in the submission of HTML form data in HTTP requests.
I have this URI:
http://IP5:port/notification/myServlet.do?method=myMethod¶m1=[08]&method2=anotherParam¶m0=[07,04,06]
I want to obtain the URI's last part in the same order:
method=myMethod¶m1=[08]&method2=anotherParam¶m0=[07,04,06]
But' I can't discover how:
I can see in the request the field input, in order to do a substring after of ? character...
the methods: request.getRequestURI() and request.getRequestURL() is not working for me.
It looks like request is an HttpServletRequest. If so, you should be able to get what you are looking for using request.getQueryString().
I have created a basic CRUD API using Dropwizard and Spring. In the body of my response object, I am receiving the following:
)]}',
{
"id":10,
"initiator":2,
"target":1,
"statusId":1,
"created":"2018-04-30T14:45:01.173"
}
I checked the API using curl, postman, and programatically during testing with rest assured, and the invalid characters )]}', are always present. Postman seems to be capable of ignoring them and displaying a pretty printed output, however rest assured, and I'm guessing most JSON parsers, can't parse it correctly.
Questions:
What are they?
Why are they present?
How do I remove them?
I've been writing REST APIs for years and I've never seen anything like this. This is my first time using dropwizard so I'm optimistically hoping it is some configuration I have missed.
Apart from the the invalid characters, functionally the API works fine.
This is an inherited codebase, and other APIs return these characters also. For the purposes of testing in rest assured the invalid characters are filtered out before processing the response. While this seems acceptable to me as a workaround in the short term, long term any future consumers of the API will all have to perform the workaround, and ideally this would be fixed in the API itself.
Not aware of DropWizard but it is there to prevent json-hijacking.
In Spring there is a MappingJackson2HttpMessageConverter class.
which has same feature, but prefix is different "{} &&"
/**
* Indicate whether the JSON output by this view should be prefixed with "{} &&". Default is false.
* <p>Prefixing the JSON string in this manner is used to help prevent JSON Hijacking.
* The prefix renders the string syntactically invalid as a script so that it cannot be hijacked.
* This prefix does not affect the evaluation of JSON, but if JSON validation is performed on the
* string, the prefix would need to be ignored.
*/
public void setPrefixJson(boolean prefixJson) {
this.prefixJson = prefixJson;
}
You can relate to this.
Edit 1:
Spring version 4.2.0.RELEASE onwards, default prefix has been updated to )]}',
I need help. In my current development one of the requirements says:
The server will return 200-OK as a response(httpresponse).
If the panelist is verified then as a result, the server must also
return the panelist id of this panelist.
The server will place the panelist id inside the body of the 200-OK
response in the following way:
<tdcp>
<cmd>
<ack cmd=”Init”>
<panelistid>3849303</panelistid>
</ack>
</cmd>
Now I am able to put the httpresponse as
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
And I can put
String responseToClient= "<tdcp><cmd><ack cmd=”Init”><panelistid>3849303</panelistid></ack></cmd></tdcp>";
Now what does putting the above xml inside the body of 200-OK response mean and how can it be achieved?
You can write the XML directly to the response as follows:
This example uses a ServletResponse.getWriter(), which is a PrintWriter to write a String to the response.
String responseToClient= "<tdcp><cmd><ack cmd=”Init”><panelistid>3849303</panelistid></ack></cmd></tdcp>";
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
httpServletResponse.getWriter().write(responseToClient);
httpServletResponse.getWriter().flush();
You simply need to get the output stream (or output writer) of the servlet response, and write to that. See ServletResponse.getOutputStream() and ServletResponse.getWriter() for more details.
(Or simply read any servlet tutorial - without the ability to include data in response bodies, servlets would be pretty useless :)
If that's meant to be XML, Word has already spoiled things for you by changing the attribute quote symbol to ” instead of ".
It is worth having a look at JAXP if you want to generate XML using Java. Writing strings with < etc. in them won't scale and you'll run into problems with encodings of non-ASCII characters.