使用Spring MVC和Jackson Mapper进行HTML转义 [英] HTML escape with Spring MVC and Jackson Mapper
问题描述
我将使用Jackson Mapper在Spring MVC中逃避HTML以避免XSS攻击。
我单独使用Jackson搜索逃脱以及如何在Spring中配置Jackson。
我尝试使用像<这样的文本导出json >,我希望将它们转移到&#60; 和&#62;
例如我添加了一些附带粗体标记的文本< b> ,我希望在前端html中看到简单的粗体标记文本但最终文本在前端html页面以粗体显示。
I am going to escape HTML in Spring MVC with Jackson Mapper to avoid XSS attack.
I search for escaping with Jackson alone and how to config Jackson in Spring.
I tried export json with text like "<" ">", I expect to escape them to < and >
for example I added some text enclosed with "bold tag" <b>, I expect to see plain bold tag text in the front end html but end up the text is shown in bold style in the front end html page.
以下是我的方法,我不知道为什么它没有用完。
Below is my approach, I don't know why it didn't work out.
任何人都可以提供帮助吗?
Anyone can help?
提前致谢!
public class CustomObjectMapper extends ObjectMapper {
public CustomObjectMapper() {
this.getJsonFactory().setCharacterEscapes(new CustomCharacterEscapes());
}
}
public class CustomCharacterEscapes extends CharacterEscapes {
private final int[] asciiEscapes;
public CustomCharacterEscapes() {
int[] esc = CharacterEscapes.standardAsciiEscapesForJSON();
esc['<'] = CharacterEscapes.ESCAPE_STANDARD;
esc['>'] = CharacterEscapes.ESCAPE_STANDARD;
esc['&'] = CharacterEscapes.ESCAPE_STANDARD;
esc['\''] = CharacterEscapes.ESCAPE_STANDARD;
asciiEscapes = esc;
}
@Override
public int[] getEscapeCodesForAscii() {
return asciiEscapes;
}
@Override
public SerializableString getEscapeSequence(int ch) {
return null;
}
}
<bean
class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="messageConverters">
<array>
<bean id="jsonConverter"
class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter">
<property name="objectMapper">
<bean class="x.y.z.CustomObjectMapper" />
</property>
</bean>
</array>
</property>
</bean>
推荐答案
我从未尝试过编写自己的HttpMessageConverter,但我找到了这个帖子似乎与你想做的事情相关。在查看他们的解决方案与您在此处发布的内容时,我可以说我注意到的最大差异是您似乎没有实现/覆盖以下内容:
I have never tried to write my own HttpMessageConverter, but I did find this posting that seems pretty relavent to what you want to do. In looking at their solution vs. what you posted here, I can say the biggest differences I noticed was that you did not seem to implement/override the following:
- protected boolean supports(Class clazz),它表示你支持哪种类型(如果你希望它足够通用以处理所有可能性,或者某些类,我会在你的情况下重新调查它是Object或Serializable特定于您的域对象)
- protected Object readInternal(Class clazz,HttpInputMessage inputMessage),看起来像是用于请求端
- protected void writeInternal(Object t,HttpOutputMessage outputMessage),看起来像是用于响应端
另一种方法可能是简单创建一个自定义Jackson序列化器与@ResponseBody一起使用。或者,更好的是,如果您有一个用户驱动的值,并将其存储在数据库中,请在插入之前转义值。这样你根本不需要做任何事情,并且所讨论的价值从端到端是安全的。如果你想疯狂,你可以写一个自定义的java.beans.PropertyEditor来逃避Strings for HTML并使用InitBinder将它插入混音。
Another approach might be to simple create a custom Jackson serializer in conjunction with @ResponseBody. Or, better yet, if you have a value that is user-driven, and your storing it in a database, escape the values prior to insertion. That way you don't need to do anything at all, and the value(s) in question would be "safe" from end-to-end. If you wanted to get crazy-fancy, you could write a custom java.beans.PropertyEditor that escapes Strings for HTML and plug that into the mix using the InitBinder.
最后,我想建议,不要试图自己替换字符,而是使用像 Apache Commons-Lang 的 StringEscapeUtils 来转义值。
Finally, I would like to recomend that, instead of trying to replace the characters on your own, you use something like Apache Commons-Lang's StringEscapeUtils to escape the values.
这篇关于使用Spring MVC和Jackson Mapper进行HTML转义的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
