Is there a secure way to validate an incoming untrusted JSON string in php?
The client shows a dynamic form. The user can enter data into that form. The data needs to be saved on the server. The server will not work with the data, it will only pass it on to the client the next time the page is loaded in order to restore the forms values. Therefore I do not want to check every value separately and save it into its own database field.
I want to save it as a JSON string and insert it into the DOM as a object variable on every page load. Is there a secure way to sanitize the incoming JSON string for that?
If you're injecting the code into a script tag and you want to guarantee that it is pure Javascript code, without any potentially dangerous XSS vulnerabilities, the simple way would be to use PHP first to decode it and then to re-encode it.
$safeJSON = json_encode(json_decode($unsafeJSON));
Anything that is invalid JSON will return null when json_decode is called on it. In this case, the string "null" would be returned to your browser, which is unlikely to do any harm in this context!
It's worth noting, however, that what you are doing is only potentially unsafe because this is not actually JSON. When it's being used inside a script tag, it's simply a Javascript object literal. If you were using it as JSON, e.g. by doing an AJAX call, it would not be a security vulnerability because the browser will not recognise invalid JSON in a JSON.parse call. See this excellent blog post for more information on the difference between Javascript objects and JSON.
Related
When I POST data to my server using a regular old form submit I can pull that data from the $_POST variable, but when POSTing JSON data via AJAX I need to access it via file_get_contents('php://input'). Why is that? In both cases I am using the POST method, are there some explicit headers I should be setting on my AJAX call? I have only ever come up against this problem on the current development server and have never had to use file_get_contents('php://input') before. Is there a server setting somewhere? Can I change this behaviour with a .htaccess?
Add this to the top of your .php file:
$_POST = json_decode(file_get_contents("php://input"), true);
so that the contents will be property decoded and available. After that, you can access individual keys as usual.
So as far as I have been able to find out, this has something to do with the way the data is received by the server - PHP can't natively parse JSON. Sending plain old JSON objects from Javascript to PHP will result in PHP not knowing what to do with the datatype, and thus it won't be able to prepopulate the appropriate global variables.
In order to get around it I added a check to my ajax wrapper function that intercepts the JSON, encodes is as a FormData object and shoots that off to the server instead.
The use case is - user will request some data, user can edit that data and user can persist data on server side. In this scenario I want to have some integrity of data. Here legitimate use can resend the request from Developer tool by putting some malicious values(user is editing in rich text editor) in the JSON data.
To resolve this I am using an approach of calculating MD5/SHA256 of JSON data and send that hash along with data and at server side recalculate the hash from data and compare that hash with input hash. To make it tough I am using salt while generating the hash. The approach I am using is when user logs in- create a Salt and store that in user's session. When user requests the page i am sending the Salt in ModalMap. When user sends request to persist that JSON data, I will use the salt+data to generate hash
Now, my problem here is I want the salt to be hidden from user. The EL evaluated attributes are visible to user from page source and same is the case for scriptlet or jstl.
So, is there any way of accessing some attribute secretly on JSP page?.
I understand that when JSP gets parsed all those tags gets evaluated.
Minification of JS will make it little harder to find but is will not be impossible to retrieve the salt value.
I also understand that I should have such logic at server side but the requirement is preventing me to do that.
If I cannot access attributes secretly then is there any other approach of doing that?.
I have not included any source code here because it's generic.
I'm trying to do client-side processing of some data sent in a server's HTTP response.
Here's what I'm working with: I have a web application that sends commands to a backend simulation engine, which then sends back a bunch of data/results in the response body. I want to be able to access this response using JavaScript (note..not making a new response, but simply accessing the data already sent from the server).
Right now, I am able to do this via a kludgy hack of sorts:
var responseText = "{{response}}";
This is using Django's template system, where I have already pre-formatted the template context variable "response" to contain a pre-formatted string representation of a csv file (i.e., proper unicode separators, etc).
This results in a huge string being transmitted to the page. Right now, this supports my immediate goal of making this data available for download as a csv, but it doesn't really support more sophisticated tasks. Also, I'm not sure if it will scale well when my string is, say, 2 MB as opposed to less than 1 KB.
I'd like to have this response data stored more elegantly, perhaps as part of the DOM or maybe in a cache (?) [not familiar with this].
The ideal way to do this is to not load the csv on document load, either as a javascript variable or as part of the DOM. Why would you want to load a 2MB data every time to the user when his intention may not be to download the csv everytime?
I suggest creating a controller/action for downloading the csv and get it on click of the download button.
I am developing a web app which functions in a similar way to a search engine (except it's very specific and on a much smaller scale). When the user gives a query, I parse that query, and depending on what it is, proceed to carry out one of the following:
Grab data from an XML file located on another domain (ie: from www.example.com/rss/) which is essentially an RSS feed
Grab the HTML from an external web page, and proceed to parse it to locate text found in a certain div on that page
All the data is plain text, save for a couple of specific queries which will return images. This data will be displayed without requiring a page refresh/redirect.
I understand that there is the same domain policy which prevents me from using Javascript/Ajax to grab this data. An option is to use PHP to do this, but my main concern is the server load.
So my concerns are:
Are there any workarounds to obtain this data client-side instead of server-side?
If there are none, is the optimum solution in my case to: obtain the data via my server, pass it on to the client for parsing (with Javascript/Ajax) and then proceed to display it in the appropriate form?
If the above is my solution, all my server is doing with PHP is obtaining the data from the external domains. In the worst (best?) case scenario, let's say a thousand or so requests are being executed in a minute, is it efficient for my web server to be handling all those requests?
Once I have a clear idea of the flow of events it's much easier to begin.
Thanks.
I just finish a project to do the same request like your req.
My suggestion is:
use to files, [1] for frontend, make ajax call to sen back url; [2] receive ajax call, and get file content from url, then parse xml/html
in that way, it can avoid your php dead in some situation
for php, please look into [DomDocument] class, for parse xml/html, you also need [DOMXPath]
Please read: http://www.php.net/manual/en/class.domdocument.php
No matter what you do, I suggest you always archive the data in you local server.
So, the process become - search your local first, if not exist, then grab from remote also archive for - 24 hrs.
BTW, for your client-side parse idea, I suggest you do so. jQuery can handle both html and xml, for HTML you just need to filter all the js code before parse it.
So the idea become :
ajax call local service
local php grab xm/html (but no parsing)
archive to local
send filter html/xml to frontend, let jQuery to parse it.
HTML is similar to XML. I would suggest grabbing the page as HTML and traversing through it with an XML reader as XML.
I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object using JSON.parse, but this sometimes fails depending on what the user put in the field.
I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse on it.
What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object with minimal cleansing after it has been saved?
This isn't a sanitization problem : you can very well put a string with quotes in JSON : the encoding simply escapes them.
Your problem is an encoding one. To build a JSON string in a browser, use JSON.stringify. To do it server side, you should use the tool provided by your (unmentionned) server side language/framework.
The awesome thing with JSON is that you do not need to sanitize anything. No matter what you feed to a JSON encoder - it will always output plain JSON. Obviously that JSON needs to be HTML-encoded in case you plan to use it within a HTML page. Depending on the JS encoder you need to ensure there's no </script> in there (e.g. by replacing / with \/).
You also do not need JSON.parse. JSON is a subset of JavaScript so you can do something like that (PHP-ish for simplicity):
<script>
var obj = <?= json_encode($whatever) ?>;
</script>
If you really want to include JSON as as tring inside JSON consider not doing it. You can just have the object itself there - no need to have a JSON string within your JSON data. But if you have this anyway it should also always work.