aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnton Tananaev <anton@traccar.org>2022-05-02 16:50:14 -0700
committerAnton Tananaev <anton@traccar.org>2022-05-02 16:50:14 -0700
commitd8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c (patch)
treeaa7d669ab6f19298f1794c3265f2197282f7aeb9
parent8853720199fb97d31d61cb442b5eac2d547aa8a0 (diff)
downloadtrackermap-server-d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c.tar.gz
trackermap-server-d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c.tar.bz2
trackermap-server-d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c.zip
Configurable API sanitization
-rw-r--r--setup/default.xml1
-rw-r--r--src/main/java/org/traccar/Context.java4
-rw-r--r--src/main/java/org/traccar/config/Keys.java8
3 files changed, 12 insertions, 1 deletions
diff --git a/setup/default.xml b/setup/default.xml
index 71e14f501..1f89ae3d8 100644
--- a/setup/default.xml
+++ b/setup/default.xml
@@ -12,6 +12,7 @@
<entry key='web.port'>8082</entry>
<entry key='web.path'>./web</entry>
+ <entry key='web.sanitize'>true</entry>
<entry key='web.persistSession'>false</entry>
<entry key='geocoder.enable'>true</entry>
diff --git a/src/main/java/org/traccar/Context.java b/src/main/java/org/traccar/Context.java
index c44d432b2..ee14f8a1a 100644
--- a/src/main/java/org/traccar/Context.java
+++ b/src/main/java/org/traccar/Context.java
@@ -294,7 +294,9 @@ public final class Context {
}
objectMapper = new ObjectMapper();
- objectMapper.registerModule(new SanitizerModule());
+ if (config.getBoolean(Keys.WEB_SANITIZE)) {
+ objectMapper.registerModule(new SanitizerModule());
+ }
objectMapper.registerModule(new JSR353Module());
objectMapper.setConfig(
objectMapper.getSerializationConfig().without(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS));
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index dc6bcbec9..f5299b90b 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -553,6 +553,14 @@ public final class Keys {
Collections.singletonList(KeyType.GLOBAL));
/**
+ * Sanitize all strings returned via API. This is needed to fix XSS issues in the old web interface. New React-based
+ * interface doesn't require this.
+ */
+ public static final ConfigKey<Boolean> WEB_SANITIZE = new ConfigKey<>(
+ "web.sanitize",
+ Collections.singletonList(KeyType.GLOBAL));
+
+ /**
* Path to the web app folder.
*/
public static final ConfigKey<String> WEB_PATH = new ConfigKey<>(