Security enhancement: JSON Vulnerability Protection

[kennardconsulting]

May I suggest MongoStreamingOutput could be changed to add escaping characters:

public void write( OutputStream out )
    throws IOException, WebApplicationException {

    if ( object instanceof DBCursor ) {
        out.write( ")]}',\n".getBytes() );
    }
    com.mongodb.jee.util.JSON.serialize(object, out);
}

This prevents a type of JSON attack, described here http://docs.angularjs.org/api/ng.$http (see heading 'JSON Vulnerability Protection')

[angelozerr]

Thank's for the hint and the link.

It seems Angular works with ")]}',\n", but is it a standard mean?

For instance at http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx it says :

The ASP.NET AJAX library uses the "d" parameter formatting for JSON data. This forces the data in the example to appear in the following form:
{"d" : "bankaccountnumber", "$1234.56" }

Perhaps we should manage the both?

JAX-RS provider should manage that too
https://github.com/angelozerr/mongo-jee/blob/master/mongo-jee/src/main/java/com/mongodb/jee/jaxrs/providers/DBObjectIterableProvider.java

But how to pass this info to the provider? With an annotation? A global configuration?

[kennardconsulting]

A global configuration might be nice. Maybe specified along with context-param mongoURI in the web.xml?