Replies: 2 comments 2 replies
-
|
Just my two cents: this doesn't feel like something that is in-scope for an HTML (and more generally, markup such as XML) sanitizer, so I don't see this as a good feature to add to the core library. As an extension library, sure - those who want HtmlSanitizer to sanitize all the things could add using Ganss.Xss;
using Ganss.Xss.Json;
var sanitizer = new HtmlSanitizer()
.WithJson();
var json = "{ \"foo\": \"bar\" }";/* your JSON string would be a lot more complicated than this, obviously */
var sanitized = sanitizer.SanitizeJson(json);
/*
Should be an explicit method name, I think, like how Sanitize(), SanitizeDom(), and SanitizeDocument() all handle
the input string differently.
This method would be expected to return a properly-encoded JSON string, possibly normalized.
*/ |
Beta Was this translation helpful? Give feedback.
-
|
I agree with @tiesont and I don't even think a general purpose extension library makes sense. JSON in itself has no XSS risk, only HTML in JSON string values. How would a library identify the string values that can contain HTML? Just pretend that all string values might contain HTML? Or only string property values? Or let the user provide JSON Path/Pointer to identify them? IMO you'll still have to parse the JSON somewhere further downstream where you have knowledge of the JSON structure/schema and that's where sanitizing should occur for only those values that contain HTML. |
Beta Was this translation helpful? Give feedback.
-
|
The middleware operates under the assumption that any string value may contain HTML. It recursively traverses the JSON structure and sanitizes all values of type string. If this doesn’t seem to make sense in the context of this project, I’m totally fine with closing it—or you can go ahead and close it. |
Beta Was this translation helpful? Give feedback.
-
|
I'll leave the discussion open to allow others to participate. Thanks for the suggestion @kavros |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
do you think it would be worthwhile to add a middleware layer that parses incoming JSON from the API and sanitizes it before it hits the core logic?
I’ve used a similar approach in a past project to mitigate malformed payloads and injection risks—it proved to be a robust layer of resilience. If you think it aligns well with the current architecture, I’d be happy to raise a pull request with the proposed changes.
Beta Was this translation helpful? Give feedback.
All reactions