使用 Json.Net 序列化模型时自动对字符串进行 HtmlEncode
Automatically HtmlEncode strings when the model is serialized with Json.Net
有没有办法配置Json.Net在模型序列化时自动编码所有字符串,如HtmlEncode(myString)
?
您可以使用与 中的解决方案类似的解决方案,并进行一些小的更改:
- 更改
HtmlEncodingValueProvider
以在 GetValue
而不是 SetValue
中应用编码(以便它在序列化而不是反序列化时进行编码)。
- 更改解析器以将值提供程序应用于所有字符串属性,而不是查找属性。
结果代码如下所示:
public class CustomResolver : DefaultContractResolver
{
protected override IList<JsonProperty> CreateProperties(Type type, MemberSerialization memberSerialization)
{
IList<JsonProperty> props = base.CreateProperties(type, memberSerialization);
// Attach an HtmlEncodingValueProvider instance to all string properties
foreach (JsonProperty prop in props.Where(p => p.PropertyType == typeof(string)))
{
PropertyInfo pi = type.GetProperty(prop.UnderlyingName);
if (pi != null)
{
prop.ValueProvider = new HtmlEncodingValueProvider(pi);
}
}
return props;
}
protected class HtmlEncodingValueProvider : IValueProvider
{
PropertyInfo targetProperty;
public HtmlEncodingValueProvider(PropertyInfo targetProperty)
{
this.targetProperty = targetProperty;
}
// SetValue gets called by Json.Net during deserialization.
// The value parameter has the original value read from the JSON;
// target is the object on which to set the value.
public void SetValue(object target, object value)
{
targetProperty.SetValue(target, (string)value);
}
// GetValue is called by Json.Net during serialization.
// The target parameter has the object from which to read the string;
// the return value is the string that gets written to the JSON
public object GetValue(object target)
{
string value = (string)targetProperty.GetValue(target);
return System.Web.HttpUtility.HtmlEncode(value);
}
}
}
像这样使用自定义 ContractResolver
:
var settings = new JsonSerializerSettings
{
ContractResolver = new CustomResolver(),
Formatting = Formatting.Indented
};
string json = JsonConvert.SerializeObject(your_object, settings);
Fiddle: https://dotnetfiddle.net/RhFlk8
试试这个:
var json = JObject.Parse("{'Name':'<script>alert(1);</script>'}");
var serializerSettings = new JsonSerializerSettings()
{
StringEscapeHandling = StringEscapeHandling.EscapeHtml
};
var result = JsonConvert.SerializeObject(json, serializerSettings);
结果将是:
{"Name":"\u003cscript\u003ealert(1);\u003c/script\u003e"}
我找到了一种非常简单的方法 (WebAPI2)。
设置对象属性时,只需使用以下编码即可。
myObject.encoded_field = HttpUtility.HtmlEncode(your_html_content)
有没有办法配置Json.Net在模型序列化时自动编码所有字符串,如HtmlEncode(myString)
?
您可以使用与
- 更改
HtmlEncodingValueProvider
以在GetValue
而不是SetValue
中应用编码(以便它在序列化而不是反序列化时进行编码)。 - 更改解析器以将值提供程序应用于所有字符串属性,而不是查找属性。
结果代码如下所示:
public class CustomResolver : DefaultContractResolver
{
protected override IList<JsonProperty> CreateProperties(Type type, MemberSerialization memberSerialization)
{
IList<JsonProperty> props = base.CreateProperties(type, memberSerialization);
// Attach an HtmlEncodingValueProvider instance to all string properties
foreach (JsonProperty prop in props.Where(p => p.PropertyType == typeof(string)))
{
PropertyInfo pi = type.GetProperty(prop.UnderlyingName);
if (pi != null)
{
prop.ValueProvider = new HtmlEncodingValueProvider(pi);
}
}
return props;
}
protected class HtmlEncodingValueProvider : IValueProvider
{
PropertyInfo targetProperty;
public HtmlEncodingValueProvider(PropertyInfo targetProperty)
{
this.targetProperty = targetProperty;
}
// SetValue gets called by Json.Net during deserialization.
// The value parameter has the original value read from the JSON;
// target is the object on which to set the value.
public void SetValue(object target, object value)
{
targetProperty.SetValue(target, (string)value);
}
// GetValue is called by Json.Net during serialization.
// The target parameter has the object from which to read the string;
// the return value is the string that gets written to the JSON
public object GetValue(object target)
{
string value = (string)targetProperty.GetValue(target);
return System.Web.HttpUtility.HtmlEncode(value);
}
}
}
像这样使用自定义 ContractResolver
:
var settings = new JsonSerializerSettings
{
ContractResolver = new CustomResolver(),
Formatting = Formatting.Indented
};
string json = JsonConvert.SerializeObject(your_object, settings);
Fiddle: https://dotnetfiddle.net/RhFlk8
试试这个:
var json = JObject.Parse("{'Name':'<script>alert(1);</script>'}");
var serializerSettings = new JsonSerializerSettings()
{
StringEscapeHandling = StringEscapeHandling.EscapeHtml
};
var result = JsonConvert.SerializeObject(json, serializerSettings);
结果将是:
{"Name":"\u003cscript\u003ealert(1);\u003c/script\u003e"}
我找到了一种非常简单的方法 (WebAPI2)。
设置对象属性时,只需使用以下编码即可。
myObject.encoded_field = HttpUtility.HtmlEncode(your_html_content)