a) Slashes are not escaped in XML, but when encoding it in JSON, according to JSON standards.

b) This is a feature of the PHP XMLWriter class we're using, we can't disable it.

CLOSED.

a) json standard does not seem to mandate escaping slashes.

All Unicode characters may be placed within the quotation marks except for the characters that must be escaped: quotation mark, reverse solidus, and the control characters (U+0000 through U+001F).

" quotation mark U+0022
\ reverse solidus U+005C

(above from http://www.ietf.org/rfc/rfc4627.txt)

or am i missing something here ?

<pavels> Yeah, sorry, it does not require to encode slashes, but most of the JSON encoders (including the standard json_encode() function in PHP <5.4 and the one we use) does that by default, so it could be easily embedded in the <script> tag. Another built in feature we can't turn off.

<richlv> http://php.net/manual/en/function.json-encode.php has JSON_UNESCAPED_SLASHES mentioned. what is it ?

oh, right, that's since 5.4.0. let's use it on >= 5.4.0 then

<pavels> I don't think it's a good idea to make APIs output dependent on the version of PHP.

<richlv> dammit. but good point. can we just strip slash escaping ?

with zabbix 3.0 requiring php 5.4, this issue should be easy to solve now

also see ZBX-10199 (backslash is not escaped in the API response)

Also see (11) in ZBXNEXT-3457.

Fixed in the development branch svn://svn.zabbix.com/branches/dev/ZBX-5116

(1) Translation strings?

vitalijs.cemeris No translation strings changed.

iivs CLOSED

(2) Encoding to JSON text should not escape forward slashes in export or any result of API request, however for other cases forward slashes should be escaped for security reasons.

RESOLVED in svn://svn.zabbix.com/branches/dev/ZBX-5116

iivs CLOSED

vitalijs.cemeris, is there a summary somewhere on what are the security reasons ?

vitalijs.cemeris: When using encodeJson() for inserting string in javascript it must escape forward slashes, because HTML will consider </script> as closing tag.

<richlv> thanks. where does zabbix put the exported data in javascript ?

vitalijs.cemeris Nowhere, in exported data and all API results forward slashes are not escaped anymore. As for other places where encode to JSON is used forward slashes are escaped.

iivs Give an example where unescaping a forward slash breaks the functionality.

vitalijs.cemeris For example when requesting with invalid dstfrm parameter in popup_httpstep.php http://localhost/popup_httpstep.php?dstfrm=</script><script>alert(document.cookie);</script>

This will execute client side script for example in firefox. As for chrome XSS auditor will refuse to execute script.

<richlv> vitalijs.cemeris, i might have misunderstood this comment : "Encoding to JSON format should not escape forward slashes in export or any result of API request, however for other cases forward slashes should be escaped for security reasons." - here, json refers to the api in general, not just the json configuration export format, right ?

vitalijs.cemeris Yes, when exporting in json or xml export format forward slashes are not escaped anymore.

<richlv> thanks a lot, sounds great

TESTED

Fixed in pre-3.3.0 (r63970)

(3) [D] API documentation:

• prevented escaping forward slashes while encoding API response to JSON text (changes 3.2 - 3.4 )

RESOLVED

martins-v Reviewed, with a small grammar fix. CLOSED

iivs Why is it backwards incompatible? It affects only encoding, not decoding.

REOPENED

vitalijs.cemeris Moved to list of other changes and bug fixes RESOLVED

martins-v Looks good. CLOSED