[英]Spring Boot @ResponseBody Jackson - escape all String fields
有没有办法在Spring Boot中配置Jackson,所以我可以在HTML中转义@RequestBody中的所有值? 我已尝试使用序列化程序,但据我所知,它们已定义为特定类。 我需要一个过滤器来处理JSON中发送的所有值,并使用以下内容对它们进行转义:
StringEscapeUtils.escapeHtml4(value)
谢谢
如何创建一个XSS过滤器并在RequestInterceptor中调用它
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* Get XSS stripped parameter values
* @param parameter parameter values string to be checked
* @return xss striped encoded string
*/
@Override
public String[] getParameterValues(String parameter)
{
String[] values = super.getParameterValues(parameter);
if(values == null)
{
return new String[0];
}
int count = values.length;
String[] encodedValues = new String[count];
for(int i=0; i<count; i++)
{
encodedValues[i]= stripXSS(values[i]);
}
return encodedValues;
}
/**
* Get XSS stripped parameter
* @param parameter parameter string to be checked
* @return xss striped encoded string
*/
@Override
public String getParameter(String parameter)
{
String value = super.getParameter(parameter);
return stripXSS(value);
}
/**
* Get XSS stripped header
* @param name header string to be checked
* @return xss striped encoded string
*/
@Override
public String getHeader(String name)
{
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value)
{
return HtmlUtils.htmlEscape(value);
}
}
XSS过滤器如下
@WebFilter(urlPatterns = "/*")
public class XSSFilter implements Filter {
/**
* Filter initialization
* @param filterConfig FilterConfig
*/
@Override
public void init(FilterConfig filterConfig) {
// nothing required here
}
/**
* Actual filter implementation
* @param servletRequest ServletRequest
* @param servletResponse ServletResponse
* @param filterChain FilterChain
* @throws IOException IOException
* @throws ServletException ServletException
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
filterChain.doFilter(new XSSRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
}
/**
* Filter destroy
*/
@Override
public void destroy() {
// nothing required here
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.