due to json specifications, Japanese does not need to unicode escape If you do not unicode escape, it is not good for confidentiality leakage, but it is not good because it can be deciphered if it is decoded. Even so, security such as XSS is okay because you can escape the control string with the \ mark (→ What do you mean?)
↓ This is what you mean. Cross-site scripting
By registering the data enclosed in the script tag, the data may be read as a script tag in the browser and an invalid script may be executed. So the control string needs to be escaped.
--Session hijacking --The tag of the input form is embedded and personal information is stolen. --Displaying fake information on web pages --Forced operation on a web page
Japaneseization can be realized by json.dumps (str, ensure_ascii = False)
.
If> ensure_ascii is true (the default value), then the output guarantees that all non-ASCII characters entered are escaped. If ensure_ascii is false, these characters will be printed as is.
However, if the above implementation is left as it is, the control string will not be escaped, which creates a vulnerability.
MUST be escaped JSON specification Control character code
the characters MUST be escaped: ※quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).
No. | String |
---|---|
1. | "(double quotation) |
2. | (backslash) |
3. | NULl |
4. | Start Of Heading |
5. | Start of TeXt (text start) |
6. | End of TeXt |
7. | End Of Transmission |
8. | ENQuiry (Inquiry) |
9. | ACKnowledge (acknowledgement) |
10. | BELl |
11. | Back Space |
12. | Horizontal Tabulation |
13. | Line Feed |
14. | Vertical Tabulation |
15. | Form Feed (page break) |
16. | Carriage Return |
17. | Shift Out |
18. | Shift In |
19. | Data Link Escape (Transmission control extension) |
20. | Device Control 1 |
21. | Device Control 2 |
22. | Device Control 3 |
23. | Device Control 4 |
24. | Negative AcKnowledge |
25. | SYNchronous idle (synchronous signal) |
26. | End of Transmission Block |
27. | End of Transmission Block |
28. | CANcel |
29. | End of Medium |
30. | SUBstitute |
31. | ESCape (extended) |
32. | File Separator |
33. | Group Separator |
34. | Record Separator |
35. | Unit Separator |
Recommended Posts