@ControllerAdvice
public class BaseControllerAdvice {
@InitBinder
protected void initBinder(WebDataBinder webDatabinder) {
//controller 所有接收的参数,进行String进行HTML编码,防止XSS攻击
binder.registerCustomEditor(String.class, new PropertyEditorSupport() {
public String getAsText() {
Object text= getValue();
return text!= null ? text.toString() : "";
}
public void setAsText(String text) {
setValue(text == null ? null : StringEscapeUtils.escapeHtml4(text.trim()));
}
});
}
}