I am using Spring MVC and I have an End Point having HTTP Method Post.
@ResponseBody
public ResponseEntity<Object> request(@RequestBody @Valid RequestPayload requestBody){
//Code
}
public class RequestPayload {
private String op;
private Collection<Payload> payload;
//Getter & Setters
}
public class Payload implements Serializable {
private Map<String, Object> properties = new HashMap<>();
//Getter & Setters
}
I have used JSON Sanitizer & Jsoup to convert it to JSON and again to Java Class using the below Code.
private static final ObjectMapper MAPPER = new ObjectMapper();
public static <T> T sanitizeHTML(T requestBody, Class<T> klass) {
if(Objects.nonNull(requestBody)) {
try {
return MAPPER.readValue(Jsoup.clean(MAPPER.writeValueAsString(requestBody), Whitelist.none()), klass);
} catch (IOException e) {
LOGGER.error("Exception occurred while removing XSS texts = {} ", e);
}
}
return requestBody;
}
I have tried using Esapi & Json Sanitizer also. For Request Params and headers I am using below and it's working fine.
public static String sanitizeHTML(String value) {
return StringEscapeUtils.escapeHtml(value);
}
Could you please suggest what to use to sanitize Post Request or a Pojo.
I get below error from CheckMarx
"Method request at line l1 of Class C1 gets user input for the requestBody element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method request line 161 of Class C1. This may enable a Cross-Site-Scripting attack."
