Escape JSON String in Java – 在Java中逃逸JSON字符串

最后修改: 2018年 12月 11日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this short tutorial, we’ll show some ways to escape a JSON string in Java.

在这个简短的教程中,我们将展示一些在Java中转义JSON字符串的方法。

We’ll take a quick tour of the most popular JSON-processing libraries and how they make escaping a simple task.

我们将快速浏览一下最流行的JSON处理库,以及它们如何使转义成为一项简单的任务。

2. What Could Go Wrong?

2.什么会出错?

Let’s consider a simple yet common use case of sending a user-specified message to a web service. Naively, we might try:

让我们考虑一个简单而常见的用例,即向一个网络服务发送一个用户指定的消息。直观地说,我们可能会尝试。

String payload = "{\"message\":\"" + message + "\"}";
sendMessage(payload);

But, really, this can introduce many problems.

但是,说真的,这可能会带来很多问题。

The simplest is if the message contains a quote:

最简单的是如果信息中包含一个引号。

{ "message" : "My "message" breaks json" }

Worse is the user can knowingly break the semantics of the request. If he sends:

更糟的是用户可以在知情的情况下破坏请求的语义。如果他发送了

Hello", "role" : "admin

Then the message becomes:

那么信息就变成了。

{ "message" : "Hello", "role" : "admin" }

The simplest approach is to replace quotes with the appropriate escape sequence:

最简单的方法是用适当的转义序列替换引号。

String payload = "{\"message\":\"" + message.replace("\"", "\\\"") + "\"}";

However, this approach is quite brittle:

然而,这种方法是相当脆弱的。

  • It needs to be done for every concatenated value, and we need to always keep in mind which strings we’ve already escaped
  • Moreover, as the message structure changes over time, this can become a maintenance headache
  • And it’s hard to read, making it even more error-prone

Simply put, we need to employ a more general approach. Unfortunately, native JSON processing features are still in the JEP phase, so we’ll have to turn our sights to a variety of open source JSON libraries.

简单地说,我们需要采用一种更普遍的方法。不幸的是,原生JSON处理功能仍处于JEP阶段,所以我们不得不将目光转向各种开源JSON库。

Fortunately, there are several JSON processing libraries. Let’s take a quick look at the three most popular ones.

幸运的是,有几个JSON处理库。让我们快速浏览一下三个最受欢迎的库。

3. JSON-java Library

3.JSON Java库

The simplest and smallest library in our review is JSON-java also known as org.json.

在我们的评论中,最简单和最小的库是JSON-java,也被称为org.json

To construct a JSON object, we simply create an instance of JSONObject and basically treat it like a Map:

要构建一个JSON对象,我们只需创建一个JSONObject的实例,并基本上把它当作一个Map

JSONObject jsonObject = new JSONObject();
jsonObject.put("message", "Hello \"World\"");
String payload = jsonObject.toString();

This will take the quotes around “World” and escape them:

这将使 “世界 “周围的引号转义。

{
   "message" : "Hello \"World\""
}

4. Jackson Library

4.Jackson图书馆

One of the most popular and versatile Java libraries for JSON processing is Jackson.

用于JSON处理的最流行和最通用的Java库之一是Jackson

At first glance, Jackson behaves similarly to org.json:

乍一看,Jackson的行为与org.json相似:

Map<String, Object> params = new HashMap<>();
params.put("message", "Hello \"World\"");
String payload = new ObjectMapper().writeValueAsString(params);

However, Jackson can also support serializing Java objects.

然而,Jackson也可以支持序列化Java对象。

So let’s enhance our example a bit by wrapping our message in a custom class:

因此,让我们通过将我们的消息包装在一个自定义的类中来加强我们的例子。

class Payload {
    Payload(String message) {
        this.message = message;
    }

    String message;
    
    // getters and setters
}

Then, we need an instance of ObjectMapper to which we can pass an instance of our object:

然后,我们需要一个ObjectMapper的实例,我们可以将我们的对象的实例传递给它。

String payload = new ObjectMapper().writeValueAsString(new Payload("Hello \"World\""));

In both cases, we get the same result as before:

在这两种情况下,我们得到的结果与之前相同。

{
   "message" : "Hello \"World\""
}

In cases where we have an already-escaped property and need to serialize it without any further escaping, we may want to use Jackson’s @JsonRawValue annotation on that field.

如果我们有一个已经被转义的属性,并且需要在没有任何进一步转义的情况下将其序列化,我们可能想在该字段上使用Jackson的@JsonRawValue注释。

5. Gson Library

5.格森图书馆

Gson is a library from Google that often goes head to head with Jackson.

Gson是一个来自Google的库,它经常与Jackson进行正面交锋。

We can, of course, do as we did with org.json again:

当然,我们可以像对待org.json那样,再次进行:

JsonObject json = new JsonObject();
json.addProperty("message", "Hello \"World\"");
String payload = new Gson().toJson(gsonObject);

Or we can use custom objects, like with Jackson:

或者我们可以使用自定义对象,比如说杰克逊:

String payload = new Gson().toJson(new Payload("Hello \"World\""));

And we’ll again get the same result.

而我们又会得到同样的结果。

6. Conclusion

6.结语

In this short article, we’ve seen how to escape JSON strings in Java using different open source libraries.

在这篇短文中,我们已经看到了如何使用不同的开源库在Java中转义JSON字符串。

All the code related to this article can be found over on Github.

与本文有关的所有代码都可以在Github上找到over