I have been asked to perform a sanity check on how our application is posting data to the service layer.
Suppose the scenario below
frontend posts this json with content-type: application/json
{
"description":"\n das!!!'/.xtest",
"topic":"test"
}From the security perspective, is there any need to escape special characters inside that json request payload before sending?
What is the best practice for posting or putting json with special characters in general?
I've been googling for answers while yet to find a recommended or widely agreed standard.
Please, any input is highly appreciated!
No.
There's nothing special you need to do. As long as what you're sending is valid JSON, it's already sufficiently escaped.
Naturally, like anything else that comes from the client, the content of that JSON should be eyed with suspicion and only used in constrained ways (for instance, you wouldn't take a string provided by User A and output it as HTML in User B's browser), but that's nothing specific to JSON.