fix + in json
#3663
fix + in json
#3663
Conversation
cschuchardt88
added
Waiting for Review
Work in Progress
and removed
Waiting for Review
labels
|
This can lead to some state diff, needs to be checked. |
There was a problem hiding this comment.
This is how you do it Check out https://www.unicode.org/charts/PDF/U0000.pdf for Basic Latin Unicode block (U+0021-U+007F).
There was a problem hiding this comment.
@shargon
I fixed the issue on the branch for you. Check and test changes.
| internal override void Write(Utf8JsonWriter writer) | ||
| { | ||
| writer.WriteStringValue(Value); | ||
| writer.WriteRawValue($"\"{DefaultEncoder.Encode(Value).Replace("\\u002B", "+")}\""); |
There was a problem hiding this comment.
Keep in mind allowing the + (plus) sign is a security risk, reference: dotnet/runtime#35281
Only for XSS injection though.
Note: After searching for hours with no luck for solution. I came up with this solution on my own. Its dirty and could have bugs or exploits, however am 99% sure we don't. Need more tests.
There was a problem hiding this comment.
But it works with newtonsoft (according your reference)
There was a problem hiding this comment.
Newtonsoft uses it own custom library. It doesn't use dotnet built-in JSON libraries.
| Assert.AreEqual(@"{""test"":""+""}", parsed.ToString()); | ||
|
|
||
| Assert.AreEqual(@"{""\uAAAA"":true}", parsed.ToString()); | ||
| json = @" {""测试"": true}"; |
There was a problem hiding this comment.
Had to allow UnicodeRanges.CjkUnifiedIdeographs for these characters for json DefaultEncoder.
| Assert.AreEqual(@"{""test"":true}", parsed.ToString()); | ||
|
|
||
| json = @" {""\uAAAA"": true}"; | ||
| json = @" {""test"":""+""} "; |
There was a problem hiding this comment.
Can we keep this test-case with \uAAAA? It's a nice compatibility test for NeoGo.
There was a problem hiding this comment.
In fact I think this will be dropped, no way to do it without unsafe relaxing if we use native json
There was a problem hiding this comment.
Doesnt use unsafe relaxing currently. And its working fine now.
There was a problem hiding this comment.
Replace is a dirty fix, performance is affected always, not only when it contains +
There was a problem hiding this comment.
|
|
||
| static JToken() | ||
| { | ||
| DefaultEncoder = JavaScriptEncoder.Create(UnicodeRanges.BasicLatin, UnicodeRanges.CjkUnifiedIdeographs); |
There was a problem hiding this comment.
Does it change the old behaviour except the + symbol?
There was a problem hiding this comment.
Checkout #3663 (comment), but it should be the exactly the same with the addition of the + (plus sign).
|
Maybe we can use |
We tried that and works great. However it allows for |
I remember that we tried with bad results, other characters are not scaped, maybe the '+' I don't remember very well, maybe @roman-khimov yes |
|
See #2050. While the problem is valid and it'd be nice to fix it, I fear changing anything can break things. |
I based off the things I tested on my local machine it worked for |
Putting strings directly into HTML without processing will always bring security issues. I don't think solving the XSS injection problem should be implemented by the contract interaction interface. |
Description
Fix #2612
Based on https://github.com/neo-project/neo/pull/2050/files
Type of change
How Has This Been Tested?
JsonTest_ObjectTest Configuration:
Checklist: