From d8bb9c055a3fcc15dfc92ea8238b4c26bf71f55c Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Mon, 2 May 2022 16:50:14 -0700 Subject: Configurable API sanitization --- src/main/java/org/traccar/Context.java | 4 +++- src/main/java/org/traccar/config/Keys.java | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) (limited to 'src/main/java') diff --git a/src/main/java/org/traccar/Context.java b/src/main/java/org/traccar/Context.java index c44d432b2..ee14f8a1a 100644 --- a/src/main/java/org/traccar/Context.java +++ b/src/main/java/org/traccar/Context.java @@ -294,7 +294,9 @@ public final class Context { } objectMapper = new ObjectMapper(); - objectMapper.registerModule(new SanitizerModule()); + if (config.getBoolean(Keys.WEB_SANITIZE)) { + objectMapper.registerModule(new SanitizerModule()); + } objectMapper.registerModule(new JSR353Module()); objectMapper.setConfig( objectMapper.getSerializationConfig().without(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS)); diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index dc6bcbec9..f5299b90b 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -552,6 +552,14 @@ public final class Keys { "web.port", Collections.singletonList(KeyType.GLOBAL)); + /** + * Sanitize all strings returned via API. This is needed to fix XSS issues in the old web interface. New React-based + * interface doesn't require this. + */ + public static final ConfigKey WEB_SANITIZE = new ConfigKey<>( + "web.sanitize", + Collections.singletonList(KeyType.GLOBAL)); + /** * Path to the web app folder. */ -- cgit v1.2.3