Hi Navin,
There is not a single generic feature in Jersey that would prevent XSS attack based on JSON data.
IIUC, you need to correctly escape all HTML special characters.
For Jackson providers, you might want to use a custom CharacterEscapes implementation as described in the following link
to do proper HTML character escaping:
http://www.cowtowncoder.com/blog/archives/2012/08/entry_476.html
For MOXy, providing custom MOXy CharacterEscapeHandler should allow you to do similar thing (should work also for JSON payload):
http://stackoverflow.com/questions/4435934/problem-with-escape-characters-in-jaxb-marshaller
HTH,
~Jakub
On 21 Jan 2014, at 11:21, Navin Desai <ndesai_at_tagworldwide.com> wrote:
> Thanks for the reply. I agree that this can be done on the FE but we wanted to make our api XSS attack proof.
>
> I was looking for something that would automatically escape Html/script tags when json payload is received.
>
> One optionis tagging each and every domain field individually to escape html but that looks like such an task.
>
> regards
> From: Navin Desai
> Sent: 20 January 2014 15:08
> To: users_at_jersey.java.net
> Subject: XSS attack prevention
>
> Hi,
>
> We have some issues regarding XSS attack prevention for our Jersey rest api. We are using Jersey version : 1.17.1.
>
> We would like to know whether Jersey provides any mechanism to block XSS attack specially when use JSON payloads. Is there any mechanism to escape html and scrpit tags in the JSON payload?
>
> If not in 1.17.1 is there any such mechanis in Jersey 2 ?
>
> regards
>
>
> This e-mail has been scanned for all viruses by Star.