Avoid XSS by escaping HTML during serialization

benmccallum · web-flow · commit e134f855ae08 · 2018-10-01T13:43:45.000+02:00
Addresses #18
diff --git a/Source/Schema.NET/Thing.Partial.cs b/Source/Schema.NET/Thing.Partial.cs
@@ -8,13 +8,19 @@
     public partial class Thing : JsonLdObject
     {
         private const string ContextPropertyJson = "\"@context\":\"http://schema.org\",";
+        
+        /// <summary>
+        /// Serializer settings used.
+        /// Note: Escapes HTML to avoid XSS vulnerabilities where user-supplied data is used.
+        /// </summary>
         private static readonly JsonSerializerSettings SerializerSettings = new JsonSerializerSettings()
         {
             Converters = new List<JsonConverter>()
             {
                 new StringEnumConverter()
             },
-            NullValueHandling = NullValueHandling.Ignore
+            NullValueHandling = NullValueHandling.Ignore,
+            StringEscapeHandling = StringEscapeHandling.EscapeHtml
         };
 
         /// <summary>
