一、DEMO学习
最近写获取车辆品牌车系时,用Gson解析后台返回的数据会有html的字符,是后台返回有html字符,解决的办法自定义Gson的TypeAdapter。
DEMO如下:
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
doCase1();
doCase2();
doCase3();
doCase4();
doCase5();
}
private void doCase1(){
Student student = new Student();
student.name = "李明";
student.sex = "<";
Gson mGson = new GsonBuilder().create();
String jsonStr = mGson.toJson(student);
Log.i("TEST", "jsonStr1" + jsonStr);
}
private void doCase2(){
Student student = new Student();
student.name = "李明";
student.sex = "<";
Gson mGson = new GsonBuilder().disableHtmlEscaping().create();
String jsonStr = mGson.toJson(student);
Log.i("TEST", "jsonStr2" + jsonStr);
}
private void doCase3(){
String jsonStr = "{\"id\":1,\"str\":\"test\",\"html\":\"<script>alert('xss')</script>\"}";
Gson mGson = new GsonBuilder().disableHtmlEscaping().create();
Log.i("TEST", "beanStr3" + mGson.fromJson(jsonStr, TestObject.class));
}
private void doCase4(){
String jsonStr = "{\"id\":1,\"str\":\"test\",\"html\":\"<script></script>\"}";
Gson mGson = new GsonBuilder().disableHtmlEscaping().
registerTypeAdapter(String.class, new StringUnescapeDeserializer()).create();
Log.i("TEST", "beanStr4" + mGson.fromJson(jsonStr, TestObject.class));
}
private void doCase5(){
String jsonStr = "{\"id\":1,\"str\":\"test\",\"html\":\"(script>(/script>\"}";
Gson mGson = new GsonBuilder().disableHtmlEscaping().
registerTypeAdapter(String.class, new StringUnescapeDeserializer()).create();
Log.i("TEST", "beanStr4" + mGson.fromJson(jsonStr, TestObject.class));
}
打印结果如下:
I/TEST: jsonStr1{"name":"李明","sex":"\u003c"}
I/TEST: jsonStr2{"name":"李明","sex":"<"}
I/TEST: beanStr3TestObject [id=1, str=test, html=<script>alert('xss')</script>]
I/TEST: beanStr4TestObject [id=1, str=test, html=<script></script>]
I/TEST: beanStr4TestObject [id=1, str=test, html=(script>(/script>]
二、具体做法
Gson mGson = new GsonBuilder().disableHtmlEscaping().create();
这一段代码是防止实体在被转成json串的时候被转义成html字符;
Gson mGson = new GsonBuilder().disableHtmlEscaping().
registerTypeAdapter(String.class, new StringUnescapeDeserializer()).create();
这一段代码是在json转成实体时,将json中的html字符转义成正常字符集;
自定义 序列号adapter StringUnescapeDeserializer 代码如下:
public class StringUnescapeDeserializer implements JsonDeserializer<String>{
public String deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context)
throws JsonParseException {
String src = json.getAsJsonPrimitive().getAsString();
if (src.indexOf('&') == -1) {
return src;
} else {
// 可能存在html实体字符
return StringEscapeUtils.unescapeHtml4(src);
}
}
}
参考致谢:
(1)、避免Gson使用时将一些字符自动转换为Unicode转义字符
(2)、Gson 基础教程 —— 自定义类型适配器(TypeAdapter)
(3)、自定义GSON类型适配器
(4)、Json转换利器Gson之实例六-注册TypeAdapter及处理Enum类型