I am reinventing the wheel and creating my own JSON parse methods in Java.
I am going by the (very nice!) documentation on json.org. The only part I am unsure about is where it says "or control character"
Since the documentation is so clear, and JSON is so simple and easy to implement, I thought I would go ahead and require the spec instead of being loose.
How would I correctly strip out control characters in Java? Perhaps there is a unicode range?
I have been informed that there are other control characters outside of the defined range 1 2 that can be troublesome in <script>
tags.
Most notably the characters U+2028 and U+2029, Line and Paragraph Separator, which act as newlines. Injecting a newline into the middle of a string literal will most likely cause a syntax error (unterminated string literal). 3
Though I believe this does not pose an XSS threat, it is still a good idea to add extra rules for the use in <script>
tags.
\u
notation. Those characters are uncommon to begin with. If you like, you could add to the white-list, but I do recommend a white-list approach.</script
(not case sensitive), which could cause HTML script injection to your page with the characters </script><script src=http://tinyurl.com/abcdef>
. None of those characters are by default encoded in JSON.Will Character.isISOControl(...) do? Incidentally, UTF-16 is an encoding of Unicode codepoints... Are you going to be operating at the byte level, or at the character/codepoint level? I recommend leaving the mapping from UTF-16 to character streams to Java's core APIs...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With