#Fix: Sanitize SPA JSON response within HTML response in order to avoid <script> parsing conflicts.

ggallotti · ggallotti · commit 178512a089cc · 2022-11-17T14:22:20.000-03:00
Issue: 99580
diff --git a/java/src/main/java/com/genexus/internet/HttpContext.java b/java/src/main/java/com/genexus/internet/HttpContext.java
@@ -28,6 +28,7 @@
 import com.genexus.webpanels.GXWebObjectBase;
 import com.genexus.webpanels.WebSession;
 
+import com.genexus.webpanels.WebUtils;
 import json.org.json.IJsonFormattable;
 import json.org.json.JSONArray;
 import json.org.json.JSONException;
@@ -933,7 +934,7 @@ public void SendState()
 		AddStylesheetsToLoad();
 		if (isSpaRequest())
 		{
-			writeTextNL("<script>gx.ajax.saveJsonResponse(" + getJSONResponse() + ");</script>");
+			writeTextNL("<script>gx.ajax.saveJsonResponse(" + WebUtils.htmlEncode(JSONObject.quote(getJSONResponse()), true) + ");</script>");
 		}
 		else
 		{				

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@`
`28`	`28`	`import com.genexus.webpanels.GXWebObjectBase;`
`29`	`29`	`import com.genexus.webpanels.WebSession;`
`30`	`30`
	`31`	`+import com.genexus.webpanels.WebUtils;`
`31`	`32`	`import json.org.json.IJsonFormattable;`
`32`	`33`	`import json.org.json.JSONArray;`
`33`	`34`	`import json.org.json.JSONException;`
`@@ -933,7 +934,7 @@ public void SendState()`
`933`	`934`	`AddStylesheetsToLoad();`
`934`	`935`	`if (isSpaRequest())`
`935`	`936`	`{`
`936`		`- writeTextNL("<script>gx.ajax.saveJsonResponse(" + getJSONResponse() + ");</script>");`
	`937`	`+ writeTextNL("<script>gx.ajax.saveJsonResponse(" + WebUtils.htmlEncode(JSONObject.quote(getJSONResponse()), true) + ");</script>");`
`937`	`938`	`}`
`938`	`939`	`else`
`939`	`940`	`{`