Home/ Questions/Q 3978092
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T05:00:13+00:00

We generate lots of JSON objects using Spring and its built-in MappingJacksonHttpMessageConverter . All

  • 0

We generate lots of JSON objects using Spring and its built-in MappingJacksonHttpMessageConverter . All great.

But now I want to html escape String values of my (any kind of) objects in order to prevent XSS.

So, how do i approach this problem? I first thought I could write a custom Object mapper and put it into the MappkingJacksonHttpMessageConverter. However, the writeValue takes an Object, and I don’t want that, I want to have its fields to iterate over. Instead of doing that myself, I bet the jackson converter needs to do that as well. So i want to influence that part.

Now I end up with a SerializerProvider interface. The standard implementation (StdSerializerProvider) is getting called by the ObjectMapper. So somewhere there I want to override/influence the method that is responsible for setting values.

Is that possible? As far as I can see it is hard to extend. I cannot override the StdSerializerProvider to override the method that ObjectMapper uses. Perhaps I need to override another one?

Or, perhaps this is totally wrong and I need to approach it from a totally different angle?

Any thoughts?

Oh btw, implementing the SerializerProvider myself and creating a composit that delegates to the StdSerializerProvider, might be possible but I’d rather not to. (i already have problems instantiating the StdSerializerProvider myself).

Any thoughts are appreciated!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are multiple ways, depending on how you can identify things you want to escape. Some thoughts:

    • If you want to quote/escape all Strings, you could define custom String serializer
    • You could first serialize as JSON tree (JsonNode) — ObjectMapper.convertValue(pojo, JsonNode.class) — modify it, then serialize to JSON (ObjectMapper.writeValue(intermediateTree))
    • If you want a flexible system where you can add annotation for fields that need special handling, you could use Jackson 1.7 feature of ContextualSerializers; custom serializer that can reconfigure itself based on annotations. It may seem like an overkill at first, but this could be used to easily specify custom modifiers (annotation property with value of Class, that indicates object that serializer can call to modify value being serialized — like escape)

    EDIT: even better option, as pointed out by @Philzen, is use of CharacterEscapes -> see https://www.cowtowncoder.com/blog/archives/2012/08/entry_476.html

    • 0