一、DEMO學習
最近寫獲取車輛品牌車系時,用Gson解析後臺返回的數據會有html的字符,是後臺返回有html字符,解決的辦法自定義Gson的TypeAdapter。
DEMO如下:
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
doCase1();
doCase2();
doCase3();
doCase4();
doCase5();
}
private void doCase1(){
Student student = new Student();
student.name = "李明";
student.sex = "<";
Gson mGson = new GsonBuilder().create();
String jsonStr = mGson.toJson(student);
Log.i("TEST", "jsonStr1" + jsonStr);
}
private void doCase2(){
Student student = new Student();
student.name = "李明";
student.sex = "<";
Gson mGson = new GsonBuilder().disableHtmlEscaping().create();
String jsonStr = mGson.toJson(student);
Log.i("TEST", "jsonStr2" + jsonStr);
}
private void doCase3(){
String jsonStr = "{\"id\":1,\"str\":\"test\",\"html\":\"<script>alert('xss')</script>\"}";
Gson mGson = new GsonBuilder().disableHtmlEscaping().create();
Log.i("TEST", "beanStr3" + mGson.fromJson(jsonStr, TestObject.class));
}
private void doCase4(){
String jsonStr = "{\"id\":1,\"str\":\"test\",\"html\":\"<script></script>\"}";
Gson mGson = new GsonBuilder().disableHtmlEscaping().
registerTypeAdapter(String.class, new StringUnescapeDeserializer()).create();
Log.i("TEST", "beanStr4" + mGson.fromJson(jsonStr, TestObject.class));
}
private void doCase5(){
String jsonStr = "{\"id\":1,\"str\":\"test\",\"html\":\"(script>(/script>\"}";
Gson mGson = new GsonBuilder().disableHtmlEscaping().
registerTypeAdapter(String.class, new StringUnescapeDeserializer()).create();
Log.i("TEST", "beanStr4" + mGson.fromJson(jsonStr, TestObject.class));
}
打印結果如下:
I/TEST: jsonStr1{"name":"李明","sex":"\u003c"}
I/TEST: jsonStr2{"name":"李明","sex":"<"}
I/TEST: beanStr3TestObject [id=1, str=test, html=<script>alert('xss')</script>]
I/TEST: beanStr4TestObject [id=1, str=test, html=<script></script>]
I/TEST: beanStr4TestObject [id=1, str=test, html=(script>(/script>]
二、具體做法
Gson mGson = new GsonBuilder().disableHtmlEscaping().create();
這一段代碼是防止實體在被轉成json串的時候被轉義成html字符;
Gson mGson = new GsonBuilder().disableHtmlEscaping().
registerTypeAdapter(String.class, new StringUnescapeDeserializer()).create();
這一段代碼是在json轉成實體時,將json中的html字符轉義成正常字符集;
自定義 序列號adapter StringUnescapeDeserializer 代碼如下:
public class StringUnescapeDeserializer implements JsonDeserializer<String>{
public String deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context)
throws JsonParseException {
String src = json.getAsJsonPrimitive().getAsString();
if (src.indexOf('&') == -1) {
return src;
} else {
// 可能存在html實體字符
return StringEscapeUtils.unescapeHtml4(src);
}
}
}
參考致謝:
(1)、避免Gson使用時將一些字符自動轉換爲Unicode轉義字符
(2)、Gson 基礎教程 —— 自定義類型適配器(TypeAdapter)
(3)、自定義GSON類型適配器
(4)、Json轉換利器Gson之實例六-註冊TypeAdapter及處理Enum類型