堆栈内存溢出
  简体   繁体   English

Spring Boot @ResponseBody Jackson - 逃离所有String字段

[英]Spring Boot @ResponseBody Jackson - escape all String fields

 原文  2019-04-17 16:09:58       java/ spring/ spring-boot/ jackson/ jackson-databind

问题描述

Is there any way to configure Jackson in Spring Boot so I can HTML escape all the values in the @RequestBody? 有没有办法在Spring Boot中配置Jackson,所以我可以在HTML中转义@RequestBody中的所有值? I have tried with serializers but as far as I know they are defined to a specific class. 我已尝试使用序列化程序,但据我所知,它们已定义为特定类。 I would need a filter which process all the values sent in the JSON and escape them with something like: 我需要一个过滤器来处理JSON中发送的所有值,并使用以下内容对它们进行转义: 

StringEscapeUtils.escapeHtml4(value)

Thanks 谢谢

1 个解决方案

解决方案1
 0  2019-04-18 07:45:51

How about creating an XSS filter and invoke it in RequestInterceptor 如何创建一个XSS过滤器并在RequestInterceptor中调用它 

public class XSSRequestWrapper extends HttpServletRequestWrapper {

public XSSRequestWrapper(HttpServletRequest request) {
    super(request);
}

/**
 * Get XSS stripped parameter values
 * @param parameter parameter values string to be checked
 * @return xss striped encoded string
 */
@Override
public String[] getParameterValues(String parameter)
{
    String[] values = super.getParameterValues(parameter);
    if(values == null)
    {
        return new String[0];
    }
    int count = values.length;
    String[] encodedValues = new String[count];
    for(int i=0; i<count; i++)
    {
        encodedValues[i]= stripXSS(values[i]);
    }
    return encodedValues;
}

/**
 * Get XSS stripped parameter
 * @param parameter parameter string to be checked
 * @return xss striped encoded string
 */
@Override
public String getParameter(String parameter)
{
    String value = super.getParameter(parameter);
    return stripXSS(value);
}

/**
 * Get XSS stripped header
 * @param name header string to be checked
 * @return xss striped encoded string
 */
@Override
public String getHeader(String name)
{
    String value = super.getHeader(name);
    return stripXSS(value);
}

private String stripXSS(String value)
{
    return HtmlUtils.htmlEscape(value);
}
}

XSS filter as below XSS过滤器如下 

 @WebFilter(urlPatterns = "/*")
 public class XSSFilter implements Filter {


/**
 * Filter initialization
 * @param filterConfig FilterConfig
*/
@Override
public void init(FilterConfig filterConfig) {
    // nothing required here
}

/**
 * Actual filter implementation
 * @param servletRequest ServletRequest
 * @param servletResponse ServletResponse
 * @param filterChain FilterChain
 * @throws IOException IOException
 * @throws ServletException ServletException
 */
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    filterChain.doFilter(new XSSRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
}

/**
 * Filter destroy
 */
@Override
public void destroy() {
    // nothing required here
}
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Boot JUnit Jackson无法反序列化所有字段 - Spring Boot JUnit Jackson Cannot Deserialize All Fields Spring Boot 和 Spring Data MongoDB:在 ResponseBody 中隐藏字段 - Spring Boot and Spring Data MongoDB: hiding fields in a ResponseBody 如何转换ArrayList <String> 在Spring @ResponseBody中使用Jackson的JSON对象 - How to convert ArrayList<String> to JSON object using Jackson in Spring @ResponseBody Spring @ResponseBody和Jackson JsonSerializer用于枚举接口 - Spring @ResponseBody and Jackson JsonSerializer for an enum interface ResponseBody 正在打印空体以进行弹簧启动测试 - ResponseBody is printing empty body for spring boot test 在 spring 引导中使用 @ResponseBody 在浏览器上显示图像 - Showing an image on broswer using @ResponseBody in spring boot 每个方法在Spring @Controller上的Jackson @ResponseBody自定义序列化 - Jackson @ResponseBody custom serialization on Spring @Controller per method 在春季启动时反序列化杰克逊 - Deserialize jackson in spring boot 春季靴子杰克逊与日期 - Spring boot Jackson with Date Spring引导2.04 Jackson无法将LocalDateTime序列化为String - Spring boot 2.04 Jackson cannot serialize LocalDateTime to String
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM