OWASP Json Sanitizer
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done. The historical content can be found here.
Please visit our Page Migration Guide for more information about updating pages for the new website as well as examples of github markdown.
This is an example of a Project or Chapter Page.
What is this?
The OWASP JSON Sanitizer Projects provides:
The OWASP JSON Sanitizer Projects provides:
Importing the JSON Sanitizer
You can fetch the jars from Maven Central or you can let your favorite java package manager handle it for you via:
Once you’ve got the JSON sanitizer JAR on your classpath,
will let you call
String wellFormedJson = JsonSanitizer.sanitize(myJsonLikeString);
If you have further questions, check our support list.
The OWASP JSON Sanitizer Project is a simple to use Java library that can be attached at either end of a data-pipeline. When applied to JSON-like content from others, this project will produce well-formed JSON that should satisfy any parser you use. When applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.
Applications also often have web service APIs that receive JSON from a variety of sources. When this JSON is created using ad-hoc methods, this library can massage it into a form that is easy to parse.
By hooking this library into the code that sends and receives requests and responses, this library can help software architects ensure system-wide security and well-formedness guarantees.
The sanitizer takes JSON like content, and interprets it as JS eval would. Specifically, it deals with these non-standard constructs.
||Single quoted strings are converted to JSON strings.|
||Hex escapes are converted to JSON unicode escapes.|
||Octal escapes are converted to JSON unicode escapes.|
||Hex integer literals are converted to JSON decimal numbers.|
||Octal integer literals are converted to JSON decimal numbers.|
||Decimal numbers are coerced to JSON’s stricter format.|
||Elisions in arrays are filled with
||Trailing commas are removed.|
||Unquoted property names are quoted.|
||JS style line and block comments are removed.|
||Grouping parentheses are removed.|
The sanitizer fixes missing punctuation, end quotes, and mismatched or
missing close brackets. If an input contains only white-space then the
valid JSON string
null is substituted.
The output is well-formed JSON as defined by RFC 4627. The output satisfies three additional properties:
- The output will not contain the substring (case-insensitively)
"</script"so can be embedded inside an HTML script element without further encoding.
- The output will not contain the substring
"]]>"so can be embedded inside an XML CDATA section without further encoding.
evalbuiltin (after being wrapped in parentheses) or by
JSON.parse. Specifically, the output will not contain any string literals with embedded JS newlines (U+2028 Paragraph separator or U+2029 Line separator).
- The output contains only valid Unicode scalar values (no isolated UTF-16 surrogates) that are allowed in XML unescaped.
Since the output is well-formed JSON, passing it to eval will have no side-effects and no free variables, so is neither a code-injection vector, nor a vector for exfiltration of secrets.
var myValue = eval(sanitizedJsonString); // safe
var myEmbeddedValue = eval(myValue.foo); // possibly unsafe
Additionally, sanitizing JSON cannot protect an application from Confused Deputy attacks
var myValue = JSON.parse(sanitizedJsonString);
The sanitize method will return the input string without allocating a new buffer when the input is already valid JSON that satisfies the properties above. Thus, if used on input that is usually well formed, it has minimal memory overhead.
The sanitize method takes O(n) time where n is the length in UTF-16 code-units.
The JSON Sanitizer is similar to a decoupling capacitor.
Any module that takes noisy input in and puts out clean output helps *decouple* the security properties of one piece of code (that uses eval) from the security properties of another (that concatenates untrusted strings to produce JSON) so that a failure in one does not necessitate a failure in the other.
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.