cors config

pom.xml

@@ -98,6 +98,13 @@
             <version>2.6.0</version>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.16.0</version>
+        </dependency>
+
     </dependencies>
 
     <build>

src/main/java/com/interplug/qcast/config/json/HtmlCharacterEscapes.java

@@ -0,0 +1,59 @@
+package com.interplug.qcast.config.json;
+
+import com.fasterxml.jackson.core.SerializableString;
+import com.fasterxml.jackson.core.io.CharacterEscapes;
+import com.fasterxml.jackson.core.io.SerializedString;
+import org.apache.commons.lang3.StringEscapeUtils;
+
+/**
+ * <pre>
+ * xss 방어
+ *
+ * </pre>
+ *
+ * @author KimYoungHyun (youngh.kim@kt.com)
+ */
+public class HtmlCharacterEscapes extends CharacterEscapes {
+
+	private static final long serialVersionUID = 2432838078852295950L;
+	private final int[] asciiEscapes;
+
+	/**
+	 * xss 방지를 위해 escape 처리
+	 */
+	public HtmlCharacterEscapes() {
+		asciiEscapes = CharacterEscapes.standardAsciiEscapesForJSON();
+		asciiEscapes['<'] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes['>'] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes['&'] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes['\''] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes['\"'] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes['('] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes[')'] = CharacterEscapes.ESCAPE_CUSTOM;
+		asciiEscapes['#'] = CharacterEscapes.ESCAPE_CUSTOM;
+	}
+
+	@Override
+	public int[] getEscapeCodesForAscii() {
+		return asciiEscapes;
+	}
+
+	@Override
+	public SerializableString getEscapeSequence(int ch) {
+		SerializedString serializedString = null;
+		char charAt = (char) ch;
+
+		// emoji(Emoticons) character
+		if (Character.isHighSurrogate(charAt) || Character.isLowSurrogate(charAt)) {
+			StringBuilder sb = new StringBuilder();
+			sb.append("\\u");
+			sb.append(String.format("%04x", ch));
+			serializedString = new SerializedString(sb.toString());
+		} else {
+			serializedString = new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString(charAt)));
+		}
+
+		return serializedString;
+	}
+
+}

src/main/java/com/interplug/qcast/config/security/WebConfig.java

@@ -0,0 +1,46 @@
+package com.interplug.qcast.config.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.interplug.qcast.config.json.HtmlCharacterEscapes;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+/**
+ * <pre>
+ * Web Config
+ * </pre>
+ *
+ * @author jaeyoung_lee (kkang090@gmail.com)
+ */
+@Configuration
+@RequiredArgsConstructor
+public class WebConfig implements WebMvcConfigurer {
+
+	private final ObjectMapper objectMapper;
+
+	@Override
+	public void addCorsMappings(CorsRegistry registry) {
+		registry.addMapping("/**").allowedOriginPatterns("*").allowCredentials(true).exposedHeaders("Authorization")
+				.allowedMethods("GET", "PUT", "POST", "PATCH", "DELETE", "OPTIONS");
+	}
+
+	/**
+	 * <pre>
+	 * XSS(Cross Site Scripting) converter
+	 * </pre>
+	 * 
+	 * @author KimYoungHyun (youngh.kim@kt.com)
+	 * @return
+	 */
+	@Bean
+	public MappingJackson2HttpMessageConverter jsonEscapeConverter() {
+		ObjectMapper copy = objectMapper.copy();
+		copy.getFactory().setCharacterEscapes(new HtmlCharacterEscapes());
+		return new MappingJackson2HttpMessageConverter(copy);
+	}
+
+}