use HTML encoding on JSON return strings ... starting with the GSON implementation
diff --git a/modules/json/pom.xml b/modules/json/pom.xml
index a662603..55f9acd 100644
--- a/modules/json/pom.xml
+++ b/modules/json/pom.xml
@@ -64,6 +64,11 @@
<version>${project.version}</version>
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ <version>1.2.3</version>
+ </dependency>
+ <dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
</dependency>
diff --git a/modules/json/src/org/apache/axis2/json/gson/JsonFormatter.java b/modules/json/src/org/apache/axis2/json/gson/JsonFormatter.java
index 4aaa8c9..cbd3033 100644
--- a/modules/json/src/org/apache/axis2/json/gson/JsonFormatter.java
+++ b/modules/json/src/org/apache/axis2/json/gson/JsonFormatter.java
@@ -20,6 +20,7 @@
package org.apache.axis2.json.gson;
import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
import com.google.gson.stream.JsonWriter;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMOutputFormat;
@@ -98,7 +99,10 @@
} else {
try {
- Gson gson = new Gson();
+ GsonBuilder gsonBuilder = new GsonBuilder();
+ // XSS protection, encode JSON Strings as HTML
+ gsonBuilder.registerTypeAdapter(String.class, new JsonHtmlXssSerializer());
+ Gson gson = gsonBuilder.create();
jsonWriter.beginObject();
jsonWriter.name(JsonConstant.RESPONSE);
Type returnType = (Type) outMsgCtxt.getProperty(JsonConstant.RETURN_TYPE);
