要求:
xss過濾請求的參數:Content-Type爲 json(application/json)
SpringMVC 對於application/json 轉換處理說明:
spring mvc默認使用MappingJackson2HttpMessageConverter轉換器,
而它是使用jackson來序列化對象的,如果我們能 將jackson的序列化和反序列化過程修改,加入過濾xss代碼,並將其註冊到MappingJackson2HttpMessageConverter中
具體實現功能代碼:
import java.io.IOException;
import org.apache.commons.text.StringEscapeUtils;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
/**
* 反序列化
*
*/
public class XssDefaultJsonDeserializer extends StdDeserializer<String> {
public XssDefaultJsonDeserializer(){
this(null);
}
public XssDefaultJsonDeserializer(Class<String> vc) {
super(vc);
}
@Override
public String deserialize(JsonParser jsonParser, DeserializationContext ctxt) throws IOException, JsonProcessingException {
// TODO Auto-generated method stub
//return StringEscapeUtils.escapeEcmaScript(jsonParser.getText());
return StringEscapeUtils.unescapeHtml4(jsonParser.getText());
}
}
SpringMVC 配置對象:
@Configuration
@EnableWebMvc
public class SpingMVCConfig extends WebMvcConfigurerAdapter {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
super.configureMessageConverters(converters);
// TODO Auto-generated method stub
SimpleModule module = new SimpleModule();
// 反序列化
module.addDeserializer(String.class, new XssDefaultJsonDeserializer());
// 序列化
module.addSerializer(String.class, new XssDefaultJsonSerializer());
ObjectMapper mapper = Jackson2ObjectMapperBuilder.json().build();
// 註冊自定義的序列化和反序列化器
mapper.registerModule(module);
MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(mapper);
converters.add(converter);
}
}