All geek questions in one place

How can I change the generated jersey error messages?

I have an application with Jersey that has been launched through our website. He returned with a vulnerability that is rather strange. If you post this header:

"*/*'" !@ $^*\/:;.,?{}[]`~-_<sCrIpT>alert(81363)</sCrIpT>"

You get an error in BODY from knitwear:

 The HTTP header field "Accept" with value "*/*'" !@ $^*\/:;.,?{}[]`~-_<sCrIpT>alert(56224)</sCrIpT>" could not be parsed.

This is not acceptable for our security group. It returns as “text / plain”, which is correct and that’s it, but I need to change the message. Any way to do this?

This works on Tomcat, and I am using Jersey 1.14.

+4
source share
1 answer

This is Paul from the Jersey team:

You must clear the object from your servlet filter, or you can register the ContainerResponseFilter in Jersey, something like:

 public class PurgeErrorEntityResponseFilter implements ContainerResponseFilter { @Override public ContainerResponse filter(ContainerRequest request, ContainerResponse response) { if(response.getStatus() == 400) { response.setEntity(null); } return response; } }

and web.xml:

  <init-param> <param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name> <param-value>xyzPurgeErrorEntityResponseFilter</param-value> </init-param>

It worked for me. I have done this:

 response.setEntity(StringEscapeUtils.escapeHtml(response.getEntity().toString()));

and he escaped the error message. Thank you Paul!

+2
source

Source: https://habr.com/ru/post/1437834/

More articles:


All Articles