All geek questions in one place

HTML output with Spring MVC and Jackson Mapper

I am going to avoid HTML in Spring MVC using Jackson Mapper to avoid an XSS attack.

I'm only looking to slip away with Jackson and how to set up Jackson in Spring.
I tried to export json with text like "<" ">", I expect to get out of them before &#60; and &#62;

for example, I added text enclosed with a bold <b> , I expect to see plain text in the text at the top end of the html, but at the end the text will be highlighted in bold on the front-end html page.

Below is my approach, I do not know why this did not work.

Anyone can help?

Thanks in advance!

 public class CustomObjectMapper extends ObjectMapper { public CustomObjectMapper() { this.getJsonFactory().setCharacterEscapes(new CustomCharacterEscapes()); } } public class CustomCharacterEscapes extends CharacterEscapes { private final int[] asciiEscapes; public CustomCharacterEscapes() { int[] esc = CharacterEscapes.standardAsciiEscapesForJSON(); esc['<'] = CharacterEscapes.ESCAPE_STANDARD; esc['>'] = CharacterEscapes.ESCAPE_STANDARD; esc['&'] = CharacterEscapes.ESCAPE_STANDARD; esc['\''] = CharacterEscapes.ESCAPE_STANDARD; asciiEscapes = esc; } @Override public int[] getEscapeCodesForAscii() { return asciiEscapes; } @Override public SerializableString getEscapeSequence(int ch) { return null; } } 




 <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"> <property name="messageConverters"> <array> <bean id="jsonConverter" class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter"> <property name="objectMapper"> <bean class="xyzCustomObjectMapper" /> </property> </bean> </array> </property> </bean>

code>
0
source share
1 answer

I never tried to write my own HttpMessageConverter, but I found this publication that seems pretty relavent to what you want to do. Looking at their solution compared to what you posted here, I can say that the biggest differences that I noticed are that you did not seem to implement / not override the following:

  • protected boolean supports (Class clazz), which indicates what type of class you support (I would change my mind in your case, it will be Object or Serializable if you want it to be generic enough to handle every opportunity, or some class specific for objects of your domain)
  • protected Object readInternal (Class clazz, HttpInputMessage inputMessage), it looks like it is used for the request side
  • protected void writeInternal (t object, HttpOutputMessage outputMessage), which looks like it is used for the response side

Another approach might be to simply create a custom Jackson serializer in combination with @ResponseBody. Or, even better, if you have a value that is user-driven and you store it in a database, avoid the values ​​before inserting. Thus, you do not need to do anything, and the value (s) in question will be “safe” from end to end. If you want a crazy fantasy, you can write a custom java.beans.PropertyEditor that avoids Strings for HTML and plugs it into the mix using InitBinder.

Lastly, I would recommend that instead of trying to replace the characters yourself, you use something like Apache Commons-Lang StringEscapeUtils to avoid the values.

0
source

Source: https://habr.com/ru/post/1264497/

More articles:


All Articles