From 28a2717231b211ee39a3c422087154df31a49fad Mon Sep 17 00:00:00 2001 From: xiongxiaoyang <773861846@qq.com> Date: Sat, 21 May 2022 08:26:20 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E8=A7=A3=E5=86=B3=20Json=20=E6=A0=BC?= =?UTF-8?q?=E5=BC=8F=E8=AF=B7=E6=B1=82=E5=8F=82=E6=95=B0=E7=9A=84=20=20XSS?= =?UTF-8?q?=20=E6=94=BB=E5=87=BB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../deserializer/GlobalJsonDeserializer.java | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 src/main/java/io/github/xxyopen/novel/core/json/deserializer/GlobalJsonDeserializer.java diff --git a/src/main/java/io/github/xxyopen/novel/core/json/deserializer/GlobalJsonDeserializer.java b/src/main/java/io/github/xxyopen/novel/core/json/deserializer/GlobalJsonDeserializer.java new file mode 100644 index 0000000..5276406 --- /dev/null +++ b/src/main/java/io/github/xxyopen/novel/core/json/deserializer/GlobalJsonDeserializer.java @@ -0,0 +1,34 @@ +package io.github.xxyopen.novel.core.json.deserializer; + +import com.fasterxml.jackson.core.JacksonException; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.databind.DeserializationContext; +import com.fasterxml.jackson.databind.JsonDeserializer; +import org.springframework.boot.jackson.JsonComponent; + +import java.io.IOException; + + +/** + * JSON 全局反序列化器 + * + * @author xiongxiaoyang + * @date 2022/5/21 + */ +@JsonComponent +public class GlobalJsonDeserializer { + + /** + * 字符串反序列化器 + * 过滤特殊字符,解决 XSS 攻击 + */ + public static class StringDeserializer extends JsonDeserializer { + + @Override + public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException, JacksonException { + return jsonParser.getValueAsString() + .replace("<", "<") + .replace(">", ">"); + } + } +}