问题
I am going to escape HTML in Spring MVC with Jackson Mapper to avoid XSS attack.
I search for escaping with Jackson alone and how to config Jackson in Spring.
I tried export json with text like "<" ">", I expect to escape them to < and >
for example I added some text enclosed with "bold tag" <b>, I expect to see plain bold tag text in the front end html but end up the text is shown in bold style in the front end html page.
Below is my approach, I don't know why it didn't work out.
Anyone can help?
Thanks in advance!
public class CustomObjectMapper extends ObjectMapper {
public CustomObjectMapper() {
this.getJsonFactory().setCharacterEscapes(new CustomCharacterEscapes());
}
}
public class CustomCharacterEscapes extends CharacterEscapes {
private final int[] asciiEscapes;
public CustomCharacterEscapes() {
int[] esc = CharacterEscapes.standardAsciiEscapesForJSON();
esc['<'] = CharacterEscapes.ESCAPE_STANDARD;
esc['>'] = CharacterEscapes.ESCAPE_STANDARD;
esc['&'] = CharacterEscapes.ESCAPE_STANDARD;
esc['\''] = CharacterEscapes.ESCAPE_STANDARD;
asciiEscapes = esc;
}
@Override
public int[] getEscapeCodesForAscii() {
return asciiEscapes;
}
@Override
public SerializableString getEscapeSequence(int ch) {
return null;
}
}
<bean
class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="messageConverters">
<array>
<bean id="jsonConverter"
class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter">
<property name="objectMapper">
<bean class="x.y.z.CustomObjectMapper" />
</property>
</bean>
</array>
</property>
</bean>
回答1:
I have never tried to write my own HttpMessageConverter, but I did find this posting that seems pretty relavent to what you want to do. In looking at their solution vs. what you posted here, I can say the biggest differences I noticed was that you did not seem to implement/override the following:
- protected boolean supports(Class clazz), which indicates which class type you are supporting (I would recon in your case this would be Object or Serializable if you want it to be generic enough to handle every possibility, or some class specific to your domain objects)
- protected Object readInternal(Class clazz, HttpInputMessage inputMessage), looks like it's used for the request-side
- protected void writeInternal(Object t, HttpOutputMessage outputMessage), which looks like it's used for the response-side
Another approach might be to simple create a custom Jackson serializer in conjunction with @ResponseBody. Or, better yet, if you have a value that is user-driven, and your storing it in a database, escape the values prior to insertion. That way you don't need to do anything at all, and the value(s) in question would be "safe" from end-to-end. If you wanted to get crazy-fancy, you could write a custom java.beans.PropertyEditor that escapes Strings for HTML and plug that into the mix using the InitBinder.
Finally, I would like to recomend that, instead of trying to replace the characters on your own, you use something like Apache Commons-Lang's StringEscapeUtils to escape the values.
来源:https://stackoverflow.com/questions/15133811/html-escape-with-spring-mvc-and-jackson-mapper