sanitizer strips part of the value when the value contains a forward slash
GoogleCodeExporter opened this issue · comments
What steps will reproduce the problem?
1.add following line to JsonSanitizerTest: assertSanitized("dev/comment",
"dev/comment");
2.run the test
What is the expected output? What do you see instead?
Instead of the expected output "dev/comment", we get "dev".
What version of the product are you using? On what operating system?
latest git version, Windows 7
Original issue reported on code.google.com by davidcyp...@gmail.com
on 30 Jan 2015 at 10:14
Original comment by mikesamuel@gmail.com
on 31 Jan 2015 at 6:09
- Changed state: Accepted
Shouldn't the expected output be quoted?
assertSanitized("\"dev/comment\"", "dev/comment");
not
assertSanitized("dev/comment", "dev/comment");
Why should "/comment" be included in the quoted string output?
Original comment by mikesamuel@gmail.com
on 31 Jan 2015 at 9:29
Correct, the expected output should indeed be quoted.
This still gives us:
Expected :"dev/comment"
Actual :"dev"
For your second question, my explanation might be a little but confusing. I
shouldn't have used the word "comment". Actually, we want to send a list of
file paths via json, eg.:
"Volumes/disk1/file1","Volumes/disk1/file2", ..
We understand that comments beginning with /* or // will be stripped, but right
now, also everything after a single forward slash is removed. This we get
"Volumes" instead of "Volumes/disk1/file1".
Original comment by davidcyp...@gmail.com
on 2 Feb 2015 at 8:38
Any update on this ? Has this issue been fixed or some workaround for this ?
Original comment by i.imrans...@gmail.com
on 16 Mar 2015 at 9:18
afaik, there is not yet any update on this issue.
Original comment by davidcyp...@gmail.com
on 16 Mar 2015 at 9:34
Thanks for your reply david. So How are you handling this case. Cause i have
the same case... Do you have any alternative for this?
Original comment by i.imrans...@gmail.com
on 16 Mar 2015 at 10:29
Actually, we do not have an alternative yet. We have investigated the ESAPI
libraries, but ran into similar problems.
Original comment by davidcyp...@gmail.com
on 16 Mar 2015 at 10:34
OK. I will try to fix this one. Have you done any effort in this direction if
yes please share it with me so that i don't try to reinvent the wheel from
scratch...
Original comment by i.imrans...@gmail.com
on 16 Mar 2015 at 10:43
Nope, we didn't invest any more time on it.
Original comment by davidcyp...@gmail.com
on 16 Mar 2015 at 10:46
@ david.
I have fixed the code can you please support me in testing ?
Original comment by i.imrans...@gmail.com
on 18 Mar 2015 at 10:06
I am attaching the fix for this defect along with test case. It passed all the
existing test cases and case for which this defect has been raised. I am not
part of the project hence can not update these in repo.
Original comment by i.imrans...@gmail.com
on 19 Mar 2015 at 4:56
Attachments:
Hi, I will test your code within now and a few days.
Original comment by davidcyp...@gmail.com
on 19 Mar 2015 at 8:35
Thank you for this patch. I will review it and ask Mike to do the same. Also
curious about David Cypers feedback.
THANK YOU imransaeed - Patches and help are awesome! I'll ask Mike about
getting you direct access.
Aloha,
Jim
Original comment by j...@manico.net
on 20 Mar 2015 at 9:00
Jim thanks for your appreciation. Can you please tell me if you have reviewed
the patch and if there is any feedback on this ?
@David Cypers Can you please share us with your feedback if you have been able
to find some free time ?
Original comment by i.imrans...@gmail.com
on 25 Mar 2015 at 3:32
I have been able to test our basic test cases against it, and it works flawless!
Original comment by davidcyp...@gmail.com
on 25 Mar 2015 at 8:32
9227e9d should address this.
Any comments from the submitters if this is an acceptable patch?
Hello,
the patch is working for my case!
Thx imransaeed
Hi,
regarding this issue,
I see the pom is updated to 1.2-SNAPSHOT. However I don't see a release of 1.1.
In the repository, I can only find 1.1-SNAPSHOT: https://oss.sonatype.org/#nexus-search;quick~mikesamuel
Is there an actual release of 1.1 coming up?
Thx
I'm working to get https://github.com/OWASP/json-sanitizer/releases/tag/json-sanitizer-1.1 in maven.
Version 1.1 is available : http://search.maven.org/#search%7Cga%7C1%7Cjson-sanitizer