一、查看WebMvcAutoConfiguration.class中的方法源码:
protected ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() {
try {
//从容器中获取
return (ConfigurableWebBindingInitializer)this.beanFactory.getBean(ConfigurableWebBindingInitializer.class);
} catch (NoSuchBeanDefinitionException ex) {
return super.getConfigurableWebBindingInitializer();
}
可以发现ConfigurableWebBindingInitializer是从容器(beanFactory)中获取到的,所以我们可以配置一个ConfigurableWebBindingInitializer来替换默认的,只需要在容器中添加一个我们自定义的转换器即可。当我们创建了自己的ConfigurableWebBindingInitializer这个Bean,Spring boot就会自动使用它来配置Spring MVC实现参数的类型转换。
二、自定义属性编辑器
/**
*
* @description 与spring mvc的@InitBinder结合 用于防止XSS攻击
*/
class StringEscapeEditor extends PropertyEditorSupport {
/** 转义HTML */
private boolean escapeHTML;
/** 转义javascript */
private boolean escapeJavaScript;
/** 是否将空字符串转换为null */
private final boolean emptyAsNull;
/** 是否去掉前后空格 */
private final boolean trimmed;
public StringEscapeEditor() {
this(true,true,false,true);
}
public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript) {
this(true,true,escapeHTML,escapeJavaScript);
}
public StringEscapeEditor(boolean emptyAsNull,boolean trimmed, boolean escapeHTML, boolean escapeJavaScript) {
super();
this.emptyAsNull = emptyAsNull;
this.trimmed = trimmed;
this.escapeHTML = escapeHTML;
this.escapeJavaScript = escapeJavaScript;
}
@Override
public String getAsText() {
Object value = getValue();
if(Objects.nonNull(value))
{
return value.toString();
}
return value != null ? value.toString() : null;
}
@Override
public void setAsText(String text) throws IllegalArgumentException {
String value = text;
if (value == null || emptyAsNull && text.isEmpty()) {
//do nothing
} else if (trimmed) {
//去字符传参数前后空格
value = value.trim();
}
if (escapeHTML) {
//HTML转义(防止XSS攻击)
//HtmlUtils.htmlEscape 默认的是ISO-8859-1编码格式,会将中文的某些符号进行转义。
//如果不想让中文符号进行转义请使用UTF-8的编码格式。例如:HtmlUtils.htmlEscape(text, "UTF-8")
value = HtmlUtils.htmlEscape(value, "UTF-8");
}
if (escapeJavaScript) {
//javascript转义(防止XSS攻击)
value = JavaScriptUtils.javaScriptEscape(value);
}
setValue(value);
}
}
三、创建WebBindingInitializerConfiguration类加上@Bean注解,交给spring容器管理。
@Configuration
public class WebBindingInitializerConfiguration {
@Bean
public ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() {
ConfigurableWebBindingInitializer initializer = new ConfigurableWebBindingInitializer();
FormattingConversionService conversionService = new DefaultFormattingConversionService();
//we can add our custom converters and formatters
//conversionService.addConverter(...);
//conversionService.addFormatter(...);
initializer.setConversionService(conversionService);
//we can set our custom validator
//initializer.setValidator(....);
//here we are setting a custom PropertyEditor
initializer.setPropertyEditorRegistrar(propertyEditorRegistry -> {
propertyEditorRegistry.registerCustomEditor(String.class,
new StringEscapeEditor());
});
return initializer;
}
}
网友评论