I've got some code that takes some input JSON and deserializes it into a simple Java class (a POJO) using Jackson and the "treeToValue" method, much like the example here:
MyBean bean = mapper.treeToValue(node, MyBean.class);
I'd like to be able to process the text of all node values in my JSON to scan for possibly XSS attacks, and encode the HTML as required.
Is there anyway to do this with treeToValue, or readValue easily? I'd like to just add a callback of sorts so when a node value is parsed, it allows me to change the node text as I see fit. I looked at the source, and I think I might have to derive a custom TreeTraversingParser to do this nicely, and override "getText".
Any better suggestions?
Turns out this can be done using a custom ObjectMapper!
public CustomObjectMapper()
{
super();
SimpleModule stringModule = new SimpleModule("StringModule", new Version(1, 0, 0, null)).addDeserializer(String.class, new CustomStringDeserializer());
registerModule(stringModule);
}
private static class CustomStringDeserializer extends JsonDeserializer<String>
{
@Override
public String deserialize(JsonParser parser, DeserializationContext context) throws IOException
{
if (parser.getCurrentToken() == JsonToken.VALUE_STRING)
{
String text = parser.getText();
// Do whatever you want to the text here
return text;
}
}
}
Then, when you call treeToValue with your custom object mapper, it'll process your nodes using the deserialize method.
CustomObjectMapper mapper = new CustomObjectMapper();
MyBean bean = mapper.treeToValue(node, MyBean.class);