diff options
author | Anton Tananaev <anton@traccar.org> | 2022-05-02 16:50:14 -0700 |
---|---|---|
committer | Anton Tananaev <anton@traccar.org> | 2022-05-02 16:50:14 -0700 |
commit | d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c (patch) | |
tree | aa7d669ab6f19298f1794c3265f2197282f7aeb9 | |
parent | 8853720199fb97d31d61cb442b5eac2d547aa8a0 (diff) | |
download | trackermap-server-d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c.tar.gz trackermap-server-d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c.tar.bz2 trackermap-server-d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c.zip |
Configurable API sanitization
-rw-r--r-- | setup/default.xml | 1 | ||||
-rw-r--r-- | src/main/java/org/traccar/Context.java | 4 | ||||
-rw-r--r-- | src/main/java/org/traccar/config/Keys.java | 8 |
3 files changed, 12 insertions, 1 deletions
diff --git a/setup/default.xml b/setup/default.xml index 71e14f501..1f89ae3d8 100644 --- a/setup/default.xml +++ b/setup/default.xml @@ -12,6 +12,7 @@ <entry key='web.port'>8082</entry> <entry key='web.path'>./web</entry> + <entry key='web.sanitize'>true</entry> <entry key='web.persistSession'>false</entry> <entry key='geocoder.enable'>true</entry> diff --git a/src/main/java/org/traccar/Context.java b/src/main/java/org/traccar/Context.java index c44d432b2..ee14f8a1a 100644 --- a/src/main/java/org/traccar/Context.java +++ b/src/main/java/org/traccar/Context.java @@ -294,7 +294,9 @@ public final class Context { } objectMapper = new ObjectMapper(); - objectMapper.registerModule(new SanitizerModule()); + if (config.getBoolean(Keys.WEB_SANITIZE)) { + objectMapper.registerModule(new SanitizerModule()); + } objectMapper.registerModule(new JSR353Module()); objectMapper.setConfig( objectMapper.getSerializationConfig().without(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)); diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index dc6bcbec9..f5299b90b 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -553,6 +553,14 @@ public final class Keys { Collections.singletonList(KeyType.GLOBAL)); /** + * Sanitize all strings returned via API. This is needed to fix XSS issues in the old web interface. New React-based + * interface doesn't require this. + */ + public static final ConfigKey<Boolean> WEB_SANITIZE = new ConfigKey<>( + "web.sanitize", + Collections.singletonList(KeyType.GLOBAL)); + + /** * Path to the web app folder. */ public static final ConfigKey<String> WEB_PATH = new ConfigKey<>( |