2021-04-28 16:49:39 +02:00
Setting the wrong Content-Type for a response can leave an application vulnerable to cross-site scripting attacks. Specifically, JSON should always be served with the ``++application/json++`` Content-Type.
This rule checks the Content-Type of responses containing classes in the ``++org.json++`` and ``++javax.json++`` packages.
2021-04-28 18:08:03 +02:00
2021-04-28 16:49:39 +02:00
== Noncompliant Code Example
----
public void doGet(HttpServletRequest request, HttpServletResponse response) {
JSONObject jsonRespone = getJsonResponse(request);
try {
response.setContentType("text/html"); // Noncompliant; wrong type
PrintWriter out = response.getWriter();
out.println(jsonResponse.toJSONString());
out.close();
} catch (IOException e) {
e.printStackTrace();
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response) { // Noncompliant; response type not set
JSONObject jsonRespone = getJsonResponse(request);
try {
PrintWriter out = response.getWriter();
out.println(jsonResponse.toJSONString());
out.close();
} catch (IOException e) {
e.printStackTrace();
}
}
----
2021-04-28 18:08:03 +02:00
2021-05-05 08:56:28 +00:00
:link-with-uscores1: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse
2021-04-28 16:49:39 +02:00
== See
* https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
2021-05-05 08:56:28 +00:00
* {link-with-uscores1}[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1
2021-04-28 18:08:03 +02:00
2021-09-20 15:38:42 +02:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
endif::env-github,rspecator-view[]
