Json.NET SerializeObject escape values to prevent XSS
This may not be ideal but this is my solution (for now, at least):
JsonConvert.SerializeObject(new { Property = "<script>alert('o hai');</script>" }, new HtmlEncodeStringPropertiesConverter());
with a simple JsonConverter that performs HtmlEncode on the value if it is a string
public class HtmlEncodeStringPropertiesConverter : JsonConverter
{
public override bool CanConvert(Type objectType)
{
return objectType == typeof(string);
}
public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
{
throw new NotImplementedException();
}
public override void WriteJson(JsonWriter writer, object value, JsonSerializer serializer)
{
writer.WriteValue(Encoder.HtmlEncode(value.ToString()));
}
}
(Encoder
is Microsoft.Security.Application.Encoder
from the AntiXSS library)
Functionality to achieve this was added in version 4.5.11
This allows you to add various type of escaping to the output.
This is my LinqPad test:
var settings = new JsonSerializerSettings();
settings.StringEscapeHandling = StringEscapeHandling.EscapeHtml;
var output = JsonConvert.SerializeObject(new { Property = "<script>alert('o hai');</script>" }, settings);
Debug.Print(output);
outputs
{"Property":"\u003cscript\u003ealert(\u0027o hai\u0027);\u003c/script\u003e"}
Just as a disclaimer, this isn't a golden bullet to fix xss, but should help you mitigate it a bit given your example.