Recently, a front-end request was made normally, but the request parameter value changed in the background, resulting in an error. The problem is as follows:
Check the request parameters from the input parameter request. It is a Json string with a key-value pair of description ;
However, when the getParameter() of request is called and the value of the parameter is retrieved, it is found that the value of the json string has changed, and an extra deion key-value pair appears out of thin air , as shown below:
This will lead to subsequent Json parsing errors:
Because there is no additional processing logic for this value in the code logic, it will not change normally. Looking at the source code of the getParameter() method , we found that there are two local rewrites:
Enter the two corresponding Filters respectively:
No modification logic was found in the first one;
In the second Filer, it was found that Xss injection was not prevented, and the request was processed. The second mark in the figure is that the full text of the script in the value was replaced, which caused the above problem. After the description in json was replaced, it became deion.
After discovering this problem, we optimized the replacement logic (you can choose to judge the script boundaries before replacing, or other methods), and the problem was solved.