使用JSON Sanitizer清理Spring MVC Controller的响应JSON? [英] Sanitizing response JSON from Spring MVC Controller using JSON Sanitizer?
问题描述
我想拦截从Spring MVC Rest Controller发回的JSON,并通过一个清理程序运行它,确保它有效,HTML可以逃脱任何狡猾的角色。 (可能是 OWASP JSON Sanitizer )
I want to intercept the JSON sent back from a Spring MVC Rest Controller and run it through a sanitizer that ensures it's valid and HTML escapes any dodgy characters. (Possibly the OWASP JSON Sanitizer)
我们使用Jackson HTTP Message转换器将@ResponseBody转换为JSON,据我所知,一旦我将对象作为@ResponseBody返回,我就失去了对它的控制权。
We use the Jackson HTTP Message converter to convert the @ResponseBody to JSON, as far as I can see once I return the object as a @ResponseBody I lose control of it.
是否有一种明智的方法可以截取JSON作为字符串来运行清理代码?
Is there a sensible way to intercept the JSON as a String to run sanitization code on it?
我目前正在调查三个途径:
I'm currently investigating three avenues:
- 编写一个过滤器和ResponseWrapper,在将JSON发送回客户端之前对其进行清理。
- 扩展JSON映射器以某种方式提供已清理的JSON。
- 编写一个处理程序拦截器并使用它来修改响应。
我不确定其中任何一个是否有效或是否有更合理的第三种选择。
I'm not sure if either of these will work or if there is a more sensible third option.
推荐答案
我知道这个答案可能为时已晚,但我需要做同样的事情,所以我在JSON映射器中添加了一个序列化器。
I know this answer may be too late, but I needed to do the same thing, so I added a serializer to the JSON mapper.
Web配置:
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import com.fasterxml.jackson.databind.ObjectMapper;
@EnableWebMvc
public class WebConfig extends WebMvcConfigurerAdapter {
@Override
public void configureMessageConverters(
List<HttpMessageConverter<?>> converters) {
// the list is empty, so we just add our converter
converters.add(jsonConverter());
}
@Bean
public HttpMessageConverter<Object> jsonConverter() {
ObjectMapper objectMapper = Jackson2ObjectMapperBuilder
.json()
.serializerByType(String.class, new SanitizedStringSerializer())
.build();
return new MappingJackson2HttpMessageConverter(objectMapper);
}
}
字符串序列化器:
import java.io.IOException;
import org.apache.commons.lang3.StringEscapeUtils;
import com.fasterxml.jackson.core.JsonGenerationException;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.ser.std.NonTypedScalarSerializerBase;
public class SanitizedStringSerializer extends NonTypedScalarSerializerBase<String> {
public SanitizedStringSerializer() {
super(String.class);
}
@Override
public void serialize(String value, JsonGenerator jgen, SerializerProvider provider)
throws IOException, JsonGenerationException {
jgen.writeRawValue("\"" + StringEscapeUtils.escapeHtml4(value) + "\"");
}
}
这篇关于使用JSON Sanitizer清理Spring MVC Controller的响应JSON?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
