I am running a Java 8, Tomcat, DynamoDB stack. I have this method:
@GET
@Path("/{var:.*}")
@Produces(MediaType.APPLICATION_JSON)
public Response mirrorRest(@Context UriInfo info, @Context HttpHeaders headers, @Context HttpEntity entity,
@PathParam(value = "var") String var) throws URISyntaxException {
URI uri = new URI("https", server, null, null);
UriComponentsBuilder builder = UriComponentsBuilder.fromUri(uri);
builder.path(var);
for(String key : info.getQueryParameters().keySet()){
if(!key.equals("key")){
String queryParam = StringEscapeUtils.escapeHtml(info.getQueryParameters().get(key).get(0));
builder.query(key+ "=" + queryParam);
}
}
builder.query("key="+API_KEY);
RestTemplate restTemplate = new RestTemplate();
try {
ResponseEntity response = restTemplate.exchange(builder.build().toUri(), HttpMethod.GET, entity, String.class);
Object responseBody = response.getBody();
return Response.ok(response.getBody()).build();
} catch(HttpStatusCodeException e) {
return Response.status(e.getStatusCode().value()).entity(e.getResponseBodyAsString()).build();
}
}
At one point I am reading from springframework.http.HttpEntity, creating a ResponseEntity. However, I want to sanitize the body before I output it to avoid XSS. This is what I haven't figured out how to do, because the getBody() will return an Object:
Object responseBody = response.getBody();
Any ideas on how to handle this Object to ensure that it is sanitized?
Maybe just this way
ResponseEntity<String> response = restTemplate.exchange(builder.build().toUri(),
HttpMethod.GET, entity, String.class);
String responseBody = response.getBody();
ResponseBody is a container for the response body with possible type parametrization.
If you expect some JSON serializable content it's better to parametrize ResponseEntity with the proper class to which this JSON could be deserialized.