Java Web Services and Security 課堂筆記

• 過去有PRC, RMI, COMBO，不過都過時了
• Base64會做Binary大1/3倍，300KB=>400KB
• XML定義
• Well-Formed XML
• 有PI
• 唯一root
• 對應的tag
• 大小寫有分
• Validated XML(Valid XML)
• DTD
• XML Schema
• 歷史
• XML已式微，但有其功能
• 交換資料可驗證
• ex, 潤年 2015-02-29(不需AP判斷)
• SOAP也式微，但
• 電子簽章等
• 自己寫也可以... 所以有點雞肋
• 名詞
• AP Server
• Web Container
• EJB Container
• 實做Jave EE製定的規格
• Tomcat只有web container及實做一點點Java EE的規格
• 名詞
• REpresentational Service
• 可output各式的format, json, xml, csv, ...
• Convention
• db命名單數 tb_member
• RESTFul複數 members
• JSON定義
• [ { a: 1 } ] , 不合法(但可用)，最上層要加{ }
• [ ]的Security Issue
• javascript會呼叫array construction，而js允許亡寫array的constructor，駭客可透過此攻擊系統
• 修改方法：利用{ }包起來

加強json_encode的xss 防禦

由於常把資料從db拉出來，再整個json_encode丟給前端
因此要一個個filter還挺累的
如果可以直接對encode過的string filter最好了~

幸好json_encode有好用的參數
完整參數如下

json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS);

PHP官網有完整範例，以下截錄

$a = array('',"'bar'",'"baz"','&blong&', "\xc3\xa9");

echo "Normal: ",  json_encode($a), "\n";
echo "Tags: ",    json_encode($a, JSON_HEX_TAG), "\n";
echo "Apos: ",    json_encode($a, JSON_HEX_APOS), "\n";
echo "Quot: ",    json_encode($a, JSON_HEX_QUOT), "\n";
echo "Amp: ",     json_encode($a, JSON_HEX_AMP), "\n";
echo "Unicode: ", json_encode($a, JSON_UNESCAPED_UNICODE), "\n";
echo "All: ",     json_encode($a, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_AMP | JSON_UNESCAPED_UNICODE), "\n\n";

Normal: ["","'bar'","\"baz\"","&blong&","\u00e9"]
Tags: ["\u003Cfoo\u003E","'bar'","\"baz\"","&blong&","\u00e9"]
Apos: ["","\u0027bar\u0027","\"baz\"","&blong&","\u00e9"]
Quot: ["","'bar'","\u0022baz\u0022","&blong&","\u00e9"]
Amp: ["","'bar'","\"baz\"","\u0026blong\u0026","\u00e9"]
Unicode: ["","'bar'","\"baz\"","&blong&","e"]
All: ["\u003Cfoo\u003E","\u0027bar\u0027","\u0022baz\u0022","\u0026blong\u0026","e"]

Reference
Example #2 A json_encode() example showing some options in use