Html escape in byte array - xss issue

Question

I have byte array with html and try to escape. I convert byte array to string and replace special characters. When I make replace, my html doesnt work properly. It looks like a string and no css.

How to make properly ?

  String x= IOUtils.toString(getPdf(), "UTF-8");
  String secureX = replaceXssCharacters(x);
  return ResponseEntity.ok().contentType(
            MediaType.TEXT_HTML).body(secureX);


private String replaceXssCharacters(String value) {
if (value != null) {
  return value
          .replace("&","&#38;")
          .replace("<", "&#60;")
          .replace(">","&#62;")
          .replace("\"","&#34;")
          .replace("'","&#39;");
}
return null;

}

getPdf() returns the content of a PDF file as a byte array? – aled May 30 '23 at 14:25 — aled, May 30 '23 at 14:25
yes it s byte array and content of pdf file – k.kbr May 30 '23 at 14:26 — k.kbr, May 30 '23 at 14:26

score 0 · Answer 1 · answered May 30 '23 at 14:38

0

You should not treat a PDF file as text or a string. Doing so can corrupt the file. Treat it as a binary file. Also you should not return or process it as if it were an HTML. In Spring Boot the media type should be MediaType.APPLICATION_PDF_VALUE. Refer to this answer on the how to set the presentation in the browser.

answered May 30 '23 at 14:38

aled

21,330
3
27
34

But I need to show as html – k.kbr May 30 '23 at 15:06
Please expand in the question exactly what output do you expect of a PDF as HTML and provide examples. – aled May 30 '23 at 15:08

Html escape in byte array - xss issue

1 Answers1