为了防止xss,我们使用了 jsoup 的 clean方式处理参数 但这种方式对入参有一定要求,否则将出现类似以下这种情况;
参数:{"coldContNo":"HT-20210927-0002","companyNo":"C002914","customerScore":5.15,"detailList":[{"id":114,"coldContNo":"HT-20210927-0002","item":"商务","itemIndex":"经营年限(年)","proportion":"5%","score":"【1】10
【2】 5
【3】 0","standard":"【1】>5 年
【2】≤5 年 并且≥ 2 年
【3】< 2 年","actualScore":"0","finalScore":"0.0","rater":null,"version":null,"sort":1,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":1,"scoringOptions":"10,5,0","tempWeight":0.05,"tempOption":["10","5","0"]},{"id":115,"coldContNo":"HT-20210927-0002","item":"商务","itemIndex":"注册资本","proportion":"10%","score":"【1】10
【2】 5
【3】 0","standard":"【1】>RMB5百万
【2】≤RMB5百万 并且≥RMB3百万
【3】
【3】 0","standard":"【1】上市公司
【2】股份有限公司
【3】其他","actualScore":"0","finalScore":"0.0","rater":null,"version":null,"sort":3,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":1,"scoringOptions":"10,5,0","tempWeight":0.05,"tempOption":["10","5","0"]},{"id":117,"coldContNo":"HT-20210927-0002","item":"管理","itemIndex":"与万科的关系","proportion":"10%","score":"【1】10
【2】 5
【3】 0","standard":"【1】至少2年
【2】至少1年
【3】其他","actualScore":"10","finalScore":1,"rater":null,"version":null,"sort":4,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":0,"scoringOptions":"10,5,0","tempWeight":0.1,"tempOption":["10","5","0"]},{"id":118,"coldContNo":"HT-20210927-0002","item":"财务","itemIndex":"过去支付记录","proportion":"15%","score":"【1】10
【2】 5
【3】 0","standard":"【1】准时付款
【2】超期但得到特殊审批
【3】超期加催收函","actualScore":"5","finalScore":0.75,"rater":null,"version":null,"sort":5,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":0,"scoringOptions":"10,5,0","tempWeight":0.15,"tempOption":["10","5","0"]},{"id":119,"coldContNo":"HT-20210927-0002","item":"财务","itemIndex":"企业征信报告","proportion":"10%","score":"【1】10
【3】 0","standard":"【1】提供
【3】未提供","actualScore":"10","finalScore":1,"rater":null,"version":null,"sort":6,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":0,"scoringOptions":"10,0","tempWeight":0.1,"tempOption":["10","0"]},{"id":120,"coldContNo":"HT-20210927-0002","item":"行业前景","itemIndex":"外部识别","proportion":"10%","score":"【1】10
【2】 5
【3】 0","standard":"【1】生产制造及快销行业等
【2】贸易公司
【3】第三方代理","actualScore":"10","finalScore":1,"rater":null,"version":null,"sort":7,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":0,"scoringOptions":"10,5,0","tempWeight":0.1,"tempOption":["10","5","0"]},{"id":121,"coldContNo":"HT-20210927-0002","item":"收入","itemIndex":"估计年收入","proportion":"15%","score":"【1】10
【2】 6
【3】 3","standard":"【1】>RMB1百万
【2】RMB12万
【2】 6
【3】 3","standard":"【1】EBIT>0
【2】EBITDA>0
【3】GP>0","actualScore":"10","finalScore":"2.0","rater":null,"version":null,"sort":9,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":1,"scoringOptions":"10,6,3","tempWeight":0.2,"tempOption":["10","6","3"]},{"id":123,"coldContNo":"HT-20210927-0002","item":"扣分项","itemIndex":"过去3年的应收相关诉","proportion":"15%","score":"【1】-10
【2】 -6
【3】 -3
【4】 0","standard":"【1】≥5
【2】2≤X<5
【3】1
【4】0","actualScore":"-10","finalScore":-1.5,"rater":null,"version":null,"sort":10,"isDel":0,"createTime":null,"createUser":null,"updateTime":null,"updateUser":null,"editable":0,"scoringOptions":"-10,-6,-3,0","tempWeight":0.15,"tempOption":["-10","-6","-3","0"]}]}
当接口对象接收这份入参时,detailList 会发生条目缺失,明明10条后台对象属性接收数据变成了9条 ,翻看源码发现 代码里写了个 XssHttpServletRequestWrapper 里面会把入参用 jsoup的clean 策略处理;jsoup 的clean 会把参数变成 jsoup封装的document 对象 问题就来了,上面参数中的 < (小于符号) 会被当成 html 标签进行解析 例如
