Golang struct unmarshal xss

I have a struct which has XSS injected in it. In order to remove it, I json.Marshal it, then run json.HTMLEscape. Then I json.Unmarshal it into a new struct.

The problem is the new struct has XSS injected still.

I simply can't figure how to remove the XSS from the struct. I can write a function to do it on the field but considering there is json.HTMLEscape and we can Unmarshal it back it should work fine, but its not.

type Person struct {
    Name string `json:"name"`
}
func main() {
    var p, p2 Person
     // p.Name has XSS
    p.Name = "<script>alert(1)</script>"
    var tBytes bytes.Buffer

    // I marshal it so I can use json.HTMLEscape
    marshalledJson, _ := json.Marshal(p)
    json.HTMLEscape(&tBytes, marshalledJson)

    // here I insert it into a new struct, sadly the p2 struct has the XSS still 
    err := json.Unmarshal(tBytes.Bytes(), &p2)
    if err != nil {
        fmt.Printf(err.Error())
    }
    fmt.Print(p2)

}

expected outcome is p2.Name to be sanitized like <script>alert(1)</script>

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dputlf5431 2019-08-30 22:48
关注
First, json.HTMLEscape doesn't do what you want:

HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029 characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029 so that the JSON will be safe to embed inside HTML <script> tags.

but what you want is:

p2.Name to be sanitized like <script>alert(1)</script>

which you can get by calling html.EscapeString, but not by any of the json encoder routines.¹

Second, if you inspect the result of json.Marshal you'll see that it has already replaced < with \u003c and so forth—it's already done the json.HTMLEscape, so json.HTMLEscape does not have any characters to replace! See https://play.golang.org/p/Zergs3bwElY for an example.

As Ahmed Hashem noted, if you really want to do this sort of thing, you can use reflection to find string fields (as in Implement XSS protection in Golang)—but in general it's probably wiser to do this at the point of input. Note that the answer there does not recurse into inner objects that might contain strings.

¹JSON is not HTML, nor XML, etc. Keep them separate in your head, and in your code.

See also https://medium.com/@oazzat19/what-is-the-difference-between-html-vs-xml-vs-json-254864972bbb, a short summary of how we got here that as far as I can tell has no errors, which is pretty good for a random web article. :-) When using JSON, we get very simple typed data: objects, strings, numbers, lists/arrays, boolean, and null; see https://www.w3schools.com/js/js_json_syntax.asp, https://www.w3schools.com/js/js_json_objects.asp, and https://cswr.github.io/JsonSchema/spec/basic_types/ for instance.

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

GoLang Struct到JSON不转换 json
2015-11-25 08:33

回答 1 已采纳 Fields in your structures starts with lower case so they are not marshalled to JSON. Make them sta
在golang，Unmarshal JSON和无效字符中使用HTTP Client for Places API http json
2018-06-25 18:33

回答 1 已采纳 Thank you for the help, ended up finding the answer. The issue was partly with my understanding of
在Golang中实施XSS保护 xss
2017-05-26 13:29

回答 1 已采纳 You can use reflection to loop over the fields and escape the string fields. For example: myStruc
Golang笔记
2023-10-18 15:27

The Straggling Crow的博客 01 = 和 := 的区别？ = 是基本的赋值运算符，用于将右边的值赋给左边的变量。例如： a = 10 b = "hello...json.Unmarshal(jsonData, &newPerson) if err != nil { fmt.Println("JSON deserialization error:", err) ...
调用struct属性方法时Golang struct指针引用丢失
2018-12-29 08:03

回答 2 已采纳 Okay， I know what u'r exactly asking finally. New() methods returns a value, not a pointer, whic
Golang JSON Unmarshal序列号 json
2016-08-21 19:46

回答 1 已采纳 In JSON, "1" is a string. If you use 1 in your example instead, it's properly unmarshalled as a fl
Golang Unmarshal JSON json
2016-10-07 09:54

回答 3 已采纳 1- Here is the working code,try it on The Go Playground: package main import ( "encoding/jso
golang做php的中间件,使用 Go 处理中间件
2021-04-28 04:46

西西里的小裁缝的博客 = nil { logrus.Errorf( "response body 不能被解析为 model.Response struct, body: `%s`, err: `%v`", blw.body.Bytes(), err, ) code = errno.InternalServerError.Code message = err.Error() } else { code = ...
Golang中的Json Unmarshal类型模型 json
2017-02-01 23:52

回答 2 已采纳 Your model is totally correct and valid, but the JSON object is not. "Fruits" doesn't have name if
动态修改Golang struct {}值上的属性，另外
2018-10-28 03:53

回答 1 已采纳 Use the reflect package for this: func setFields(dst, src interface{}, names ...string) { d :
Golang json Unmarshal“ JSON输入意外结束” json
2015-01-16 23:17

回答 2 已采纳 The unexpected end of JSON input is the result of a syntax error in the JSON input (likely a missi
golang 开发常见坑
2019-11-22 12:43

whatday的博客 50 Shades of Go: Traps, Gotchas, and Common Mistakes for New Golang Devs 翻译: Go的50度灰：新Golang开发者要注意的陷阱、技巧和常见错误 , 译者: 影风LEY Go是一门简单有趣的语言，但与其他语言类似，...
Golang Unmarshal切片类型接口 json
2017-07-02 13:33

回答 1 已采纳 Thought that way to distinguish whether the json is Circle or Rectangle. In your JSON, there is no
golang string 加号连接性能慢_手把手教你用Golang封装一款适合自己使用的Web编程框架
2020-10-28 22:02

weixin_39879122的博客以下文章来源于非正式解决方案，作者winlion非正式解决方案思考链接价值,非正式解决方案,既扯高大上如人工智能、大数据，也关注码农日常如分布式、java和golang,每天分享瞎想的东西。MVC 应用一般结构目录结构说明...
客观评价golang的优缺点
2019-05-21 18:19

思月行云的博客 Go 语言的优点，缺点和令人厌恶的设计 - Go语言中文网 - Golang中文社区这是一个创建于 2018-05-06 22:44:53 的文章，其中的信息可能已经有所发展或是发生改变。这是关于「Go是一门设计糟糕的编程语言（Go is...
没有解决我的问题, 去提问

悬赏问题

¥15 使用EMD去噪处理RML2016数据集时候的原理
¥15 神经网络预测均方误差很小但是图像上看着差别太大
¥15 Oracle中如何从clob类型截取特定字符串后面的字符
¥15 想通过pywinauto自动电机应用程序按钮，但是找不到应用程序按钮信息
¥15 如何在炒股软件中，爬到我想看的日k线
¥15 seatunnel 怎么配置Elasticsearch
¥15 PSCAD安装问题 ERROR: Visual Studio 2013, 2015, 2017 or 2019 is not found in the system.
¥15 (标签-MATLAB|关键词-多址)
¥15 关于#MATLAB#的问题，如何解决？（相关搜索：信噪比，系统容量）
¥500 52810做蓝牙接受端

Golang struct unmarshal xss

1条回答 默认 最新

悬赏问题

1条回答默认最新